U.S. National Guard's network was unlawfully taken over by Chinese cybercriminals, known as 'Salt Typhoon,' for almost a year.
In a significant cybersecurity breach, Chinese state-sponsored hackers known as Salt Typhoon infiltrated and maintained persistent access to a U.S. state's Army National Guard network for almost ten months, from March 2024 through December 2024.
The hacking group, linked to China’s Ministry of State Security, has been recognised as a premier Advanced Persistent Threat (APT) group, renowned for its systematic targeting of telecommunications infrastructure and government networks.
Salt Typhoon's persistence tactics show a sophisticated understanding of network architecture and security protocols. They exploit known vulnerabilities in widely used network equipment, particularly from vendors like Cisco and Palo Alto, to breach and maintain footholds in critical infrastructure systems.
Once inside, the group exfiltrates administrator credentials and detailed network diagrams, enabling them to move laterally within networks undetected for long periods and to maintain persistent control over compromised systems. They also infiltrate integrated cybersecurity systems, such as those of the National Guard networks, which are deeply integrated with state fusion centers responsible for threat intelligence sharing including cyber threats.
The group aims to remain undetected for extended durations to position themselves for potential disruptive or destructive cyberattacks during crises or conflicts. These tactics make detection of Salt Typhoon’s malicious activities exceptionally challenging for traditional security monitoring systems.
The breach's impact on the National Guard's collaboration with local governments and law enforcement agencies is not detailed in the DHS report. However, National Guard units in 14 states collaborate with law enforcement "fusion centers" for intelligence sharing, potentially multiplying the breach's impact across multiple jurisdictions.
The exfiltrated data could facilitate future attacks against other National Guard units and state-level cybersecurity partners. The DHS report does not discuss any potential future attacks against other entities. Federal agencies such as the Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI recognise Salt Typhoon as a significant national security threat and are actively working on mitigation and disruption efforts.
However, the details of the breach's mitigation and the steps taken to secure National Guard networks against future attacks from Salt Typhoon are not provided in the DHS report. The cyberespionage campaign represents a significant escalation in Beijing's ongoing cyber operations against American military infrastructure.
- The cyberespionage campaign conducted by Salt Typhoon, a premier Advanced Persistent Threat (APT) group connected to China’s Ministry of State Security, has raised concerns in the realms of cybersecurity, technology, politics, and general-news, as it demonstrates advanced manipulation of network architecture and security protocols, potentially exploiting vulnerabilities in commonly used network equipment.
- The persistent control exerted by Salt Typhoon over compromised systems, such as those in the National Guard networks, could also impact crime-and-justice, as such infiltration can potentially compromise threat intelligence sharing and facilitate future attacks against other National Guard units and state-level cybersecurity partners.
