A China-affiliated hacking group known as Salt Typhoon breached a US state’s Army National Guard network in a months-long cyber espionage campaign, compromising sensitive data and potentially weakening state-level defenses across the country, according to a classified Department of Defense (DoD) report.
The breach, which occurred between March and December 2024, allowed Salt Typhoon to steal administrator credentials, detailed network configurations, and communications exchanged between National Guard units in all 50 states and at least four US territories. Officials warn that this data could be leveraged for future intrusions targeting critical infrastructure and state cybersecurity agencies during national emergencies or international conflict.
The DoD report concluded that the cyber actors, believed to be tied to the People’s Republic of China, accessed administrator credentials and network diagrams that could facilitate follow-on attacks against other Guard units and state cybersecurity partners. “If PRC-associated cyber actors succeeded in targeting these partners, it could severely undermine state-level cybersecurity capabilities and the broader defense of US critical infrastructure,” the report warned
Salt Typhoon, also tracked by cybersecurity firms and federal agencies, has been linked to a series of high-profile cyberattacks over the past two years, including breaches at major US telecommunications firms such as AT&T, Verizon, and Lumen Technologies. The group has also targeted telecom networks in Canada, where it reportedly stole call records and configured data tunnels for surveillance by exploiting known vulnerabilities in Cisco network devices.
In the National Guard breach, Salt Typhoon reportedly exfiltrated data through prolonged access, collecting real-time traffic between Guard units and state-level partners. This included sensitive personal information (PII) of service members, increasing the risk of targeted surveillance and spear-phishing campaigns. Officials are especially concerned about the Guard’s integration into fusion centers, state-run hubs that coordinate with federal agencies and monitor critical infrastructure, in at least 14 states.
Salt Typhoon’s tactics involved exploiting publicly known vulnerabilities (including CVE-2023-20198 and CVE-2023-20273) in unpatched Cisco IOS XE devices. According to a February 2025 report by Recorded Future’s Insikt Group, the group used these vulnerabilities to extract over 1,400 configuration files from more than 70 US entities across sectors such as energy, water, and emergency services. These files often contained administrative access credentials and blueprints of entire network infrastructures.
Both the FBI and the Canadian Centre for Cyber Security have recently issued alerts on Salt Typhoon’s operations, warning of continued espionage efforts that now span dozens of countries. In one Canadian case, the group compromised three telecom network devices by establishing GRE (Generic Routing Encapsulation) tunnels to siphon off traffic without detection.
