The picture of the sprawling “Salt Typhoon” hacking campaign continues to expand, as a new memo from the Department of Homeland Security (DHS) reveals that a state Army National Guard network was compromised from March to December 2024. The state-sponsored hackers were able to use this position to intercept traffic from other national guard networks in all 50 states as well as at least four US territories.
Salt Typhoon is the elite China-backed espionage group responsible for breaching all the major US mobile phone service providers, both the Donald Trump and Kamala Harris presidential campaigns, and US law enforcement wiretapping systems among numerous other targets. The group has been active since at least 2020 but was particularly focused on high-profile US counterintelligence targets in 2024.
Chinese state-sponsored hackers exfiltrated data from US National Guard networks for months
The DHS memo is internal but was obtained by Property of the People, a nonprofit organization that focuses on transparency in national security issues. It was shared with reporters from NBC News and reportedly describes China’s state-sponsored hackers as having “extensively” compromised one state Army National Guard unit, using the access to exfiltrate non-public location maps and topology diagrams, access the personal information of service members, and intercept communications with other state and territory Guard units.
Salt Typhoon’s general focus, at least over roughly the past two years, has seemingly moved from simple espionage to creating persistent footholds in defense and critical infrastructure systems. Security researchers believe these are being maintained in the event of a military conflict over the fate of Taiwan, and would be activated to do things like cause havoc in communications networks and take runs at the power grid and water supply if the US were to engage with military force. Though National Guard units might not be heavily involved in such a scenario, they are a unique target of opportunity for state-sponsored hackers as they integrate with both federal Department of Defense and individual state networks. These units also participate in local “law enforcement fusion” centers that serve as central clearinghouses for data sharing; the state-sponsored hackers have already shown their interest in such systems with their penetration of lawful wiretapping systems maintained by the mobile phone carriers.
The National Guard Bureau has responded to the story by issuing a statement that it cannot provide specific details about the incident, but that the state-sponsored hackers did not disrupt any state or federal missions and that the full scope of the breach remains under investigation.
Massive Campaigns by China’s state-sponsored hackers assisted by private industry, large-scale vulnerability scanning
China’s teams of “Typhoon” state-sponsored hackers have been operating at a scale and sophistication not previously seen. These massive and constant campaigns are fed in part by the state looping in a broad assortment of private companies, who are encouraged to both continually comb the internet for exploitable known vulnerabilities and to develop novel zero-days that are taken straight to the government for financial reward. In some cases, the so-called “enabling companies” are selling access to multiple Chinese government entities along with other security outfits. A member of “Silk Typhoon” hacking projects that was picked up while vacationing in Italy last week is one such “hired gun” hacker, working for a front security company called Shanghai Powerock Network Co. Ltd. that is dedicated to this kind of work.
Each of the “Typhoon” groups of state-sponsored hackers has its own responsibilities and mission, but as of late Salt Typhoon seems to be devoted primarily to the prospect of digital sabotage should a “hot war” break out. The fact that such a war for Taiwan would almost certainly be initiated by China has caused serious alarm at the scope and boldness of the activity, with this new story adding yet more fuel to the fire. The attack on the National Guard unit may well be a precursor for future attacks on other units as well as the state and local groups they work closely with, such as law enforcement and cybersecurity partners.
Salt Typhoon’s late 2024 rampage through US mobile carriers and ISPs was its most infamous single campaign prior to this, but the state-sponsored hackers have been observed attacking a broad variety of international targets since 2023 in a massive and extended flurry of activity. This has at times included a focus on law firms, hotels and engineering companies. The group heavily targets known vulnerabilities in routers, reinforcing the idea that it has a small army of private contractors combing for these unpatched flaws to use as initial points of entry. Once they have penetrated a target the state-sponsored hackers have been observed dwelling for as long as three years at a time, making skillful use of advanced living-off-the-land techniques to blend in with normal traffic.
Damon Small, Board Member, Xcape, notes that while China’s best state-sponsored hackers often do this it is also not impossible to spot them: “While Salt Typhoon was detected, it had only been after the group had a foothold for 9 months. There is also little detail about the Guard’s confidence that all remnants of the infiltration had been neutralized. As the question alludes, we have no way to know that there aren’t this or other adversarial groups already in place.”
“In our opinion, it is not surprising that Salt was detected as they tend to disrupt services. What is truly frightening is the notion that Salt may have been the “tip of the spear” that may have led to further infiltration by another group, such as Volt, that specifically evades detection and lies in wait for long periods of time. In the case of groups that engage in spying and do not use malware to do so, detecting them can be difficult. Groups like this tend to “live off the land” and only use resources that are already available on the target systems. Our advice to the reader is to not assume that a known-good configuration is immune from attack. Rather, security teams must also understand the known-good behavior of their systems. If a system suddenly begins communicating with China, for example, that is worthy of investigation. Periodic examination of high-value systems is no longer adequate; rather, examination must be a constant activity,” added Small.
Erich Kron, Security Awareness Advocate at KnowBe4, adds: “These criminal groups must be taken seriously, which means that everyone from senior government leadership to the average citizen, needs to be at least somewhat aware of the threats, how to spot them, and who to report them to. Whether it’s stealing money from individuals to fund other operations, or trying to cripple infrastructure through cyberattacks, these bad actors are a clear and present danger.”
Bryan Cunningham, President at Liberty Defense and a former White House lawyer and career CIA officer, warns that these groups should be expected to target any potential lead that might grant them access to critical infrastructure, government, communications or law enforcement targets: “As I wrote here on D-Day 2024, the US and our democratic allies are already in at least a “cold” third global conflict. Russia, the People’s Republic of China (PRC), and Iran all have continued to infiltrate and test our critical infrastructure, with Russia conducting actual disruption operations in Europe. Both Salt Typhoon and Volt Typhoon are widely believed to be Advanced Persistent Threat (APT) groups operating at the behest of the PRC, with Volt believed to be the stealthier of the two threats, embedding itself into critical infrastructure for the long term, and Salt being the “noisier” group, less interested in hiding and awaiting their moment than data theft and immediate disruptive effects … Absent an actual shooting war, these authoritarian nations and their hacker proxies likely will test mostly around the margins, not doing serious damage to protect their capabilities, but they likely will accelerate their destructive attacks if they believe a shooting war is imminent … CISOs need to be in a “shields up” posture, carefully monitoring their assets, staying current on evolving threats and their own security infrastructure, including employee basic cyber hygiene training, as a significant percentage of cyber attacks are enabled by human error.”

