A Chinese state-backed hacking group infiltrated a U.S. Army National Guard network and stayed there, undetected, for most of 2024.
The group, known as Salt Typhoon, is believed to have operated inside the network of an unnamed U.S. state from March through December, according to a Department of Homeland Security memo. Their reach may have extended far beyond that single state.
The threat actors exfiltrated sensitive data. Network traffic. Admin credentials. Diagrams. Even personally identifiable information and the geographic locations of National Guard personnel.
According to the Pentagon’s findings, over and above mapping the compromised network, Salt Typhoon mapped its connections to every other state and at least four U.S. territories.
The implication is chilling: the compromise could be used as a launchpad for broader attacks across state lines. In several states, Army National Guard units are directly integrated with cybersecurity fusion centers responsible for defending critical infrastructure.
This wasn’t a smash-and-grab, it was a long game. Salt Typhoon collected data that could aid future targeting and quietly undermined the nation’s state-level cyber defenses.
The Department of Defense warns that stolen configuration files (like the ones lifted in this breach) have previously been used by Salt Typhoon to attack other government systems. The tactics are known. The strategy is persistent.
What remains unknown is the full extent of the damage.
Just a week ago, NSA and FBI officials declared triumph over yet another organization, Volt Typhoon, saying they purportedly crippled it. But with Salt Typhoon digging in, questions arise. Can we afford to be hailing the neutralizing of one threat while another digs in?
The attack demonstrates a grim truth about modern cybersecurity. There’s no finish line, and no singular victory is enough.
Not a “Military Only” Operation
Casey Ellis, Founder of Bugcrowd, says: “Volt Typhoon is focused on prepositioning for disruption, and creating a deterrent effect based on this, whilst Salt Typhoon is focused on positioning for intelligence gathering.”
Ellis says an intrusion on a National Guard isn’t a “military only” operation. “States regularly engage their national guard to assist with cyber defense of civilian infrastructure. As a target, they would be a rich source of all kinds of useful intelligence.
“Intelligence informs action, so while the Volt Typhoon announcement is encouraging, it’s important to remember that we are basically playing a giant game of whack-a-mole here. Vigilance and continuing efforts towards resilience are key for domestic defenders of all types.”
A “Cold” Third Global Conflict
Bryan Cunningham, President at Liberty Defense, adds: “As I wrote here on D-Day 2024, the US and our democratic allies are already in at least a “cold” third global conflict. Russia, the People’s Republic of China (PRC), and Iran all have continued to infiltrate and test our critical infrastructure, with Russia conducting actual disruption operations in Europe.”
Cunningham says Salt Typhoon and Volt Typhoon are widely believed to be APT groups operating at the behest of the PRC, with Vol” believed to be the stealthier of the two threats, embedding itself into critical infrastructure for the long term, and Salt being the “noisier” group, less interested in hiding and awaiting their moment than data theft and immediate disruptive effects.
Accelerating Destructive Attacks
“The PRC, Russia, and Iran will continue to ramp up their infrastructure attacks, likely to include inside the United States, particularly if there is no negotiated peace between Russia and Ukraine,” Cunningham explains. “Though in this case, national guard units appear to have been part of the target set, these adversaries do not respect the Law of Armed Conflict and are fully prepared to target civilian infrastructure, albeit illegally, whether it supports US military efforts or not. And, of course, we are not at war with the PRC at the moment so even such military units are not legitimate targets for attack and disruption.”
According to him, absent an actual shooting war, these authoritarian nations and their hacker proxies likely will test mostly around the margins, not doing serious damage to protect their capabilities, but they likely will accelerate their destructive attacks if they believe a shooting war is imminent.
Adopt a “Shields Up” Posture
“Hacker groups often work both on their own for financial gain and answer to their authoritarian governments to infiltrate and attack critical infrastructure of what they view as their enemies. They also morph over time, both as new techniques and technologies emerge and to try and muddy the waters for those trying to identify and counter them.”
Cunningham says CISOs need to be in a “shields up” posture, carefully monitoring their assets, staying current on evolving threats and their own security infrastructure, including employee basic cyber hygiene training, as a significant percentage of cyberattacks are enabled by human error.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.