Salt Typhoon Chinese State-Sponsored Hackers Dwelled in an Army National Guard System for Nine Months

Obtained by reporters via a FOIA request, a Department of Homeland Security (DHS) memo has revealed that Chinese state-sponsored hackers were able to penetrate the Army National Guard network and dwell for most of 2024.

While it is not surprising that the “Salt Typhoon” group was involved in yet another high-profile compromise of this sort, it does raise questions about how one of the “noisier” of the groups of state-sponsored hackers was able to go undetected in what should be a high-security system for so long. During its run the group was exfiltrating maps and information about military personnel, as well as intercepting communications with other National Guard systems throughout the country.

Still no complete picture of the scope of Salt Typhoon’s attacks

The news adds to Salt Typhoon’s resume of major security breaches that played out mostly throughout 2024, during which time it took up residence in the nation’s phone networks, ISPs and even presidential campaigns. Leaks uncovered earlier this year point to the heightened activity of China’s various state-sponsored hackers being fed by expansive use of private contractors that are being incentivized to both develop zero-days and comb the internet for unpatched vulnerabilities; these “enabling companies” then sell access to the government’s hackers focused on sabotage and espionage.

In this case, Salt Typhoon established a stealthy presence in one unnamed state’s National Guard network from March to December of 2024. While a spokesperson for the Guard responded to the media reports by saying that the state-sponsored hackers did not disrupt any state or federal missions, it is not clear if the threat is entirely contained or if other Chinese hacking groups did not pile in after the fact. There have been prior cases of Salt Typhoon establishing an initial presence with its noisier tactics and then paving the way for Volt Typhoon, an even more skilled group at espionage, to “live off the land” for extremely long periods of time.

State-sponsored hackers were able to intercept communications with other national guard networks

Another concerning aspect of the incident is that while only one state network was compromised, the hackers were able to leverage this to intercept communications with National Guard networks in other states and “at least four” US territories.

The broad implication of all of the activity of the state-sponsored hackers is widespread sabotage within the US should it enter a “hot” war over the fate of Taiwan; China looks to be positioning itself to disrupt communications and utilities on a broad scale, and with the National Guard (and its associated local law enforcement partners) it would likely be focusing on hampering emergency response to the critical infrastructure failures it induced.

As with many other “Typhoon” incidents, the full scope of the breach remains under investigation and is still not completely measured. While it is very unlikely all of this activity will ever progress beyond poking and probing should an actual war not break out, targets of opportunity adjacent to critical infrastructure and national defense have to assume continual and heavy targeting and that they are (like it or not) now involved with national security matters.