Chinese state-backed hacking group Salt Typhoon infiltrated a U.S. state’s Army National Guard network for nine months, stealing sensitive military data, credentials, and personnel information. According to a June 11 Department of Homeland Security (DHS) memo, the hackers used the compromised network to access data traffic and configurations from Army National Guard networks in all U.S. states and at least four territories, raising concerns about potential nationwide cyber vulnerabilities.

The memo, obtained by nonprofit Property of the People and first reported by NBC News, states the breach took place between March and December 2024. Salt Typhoon reportedly extracted network diagrams, administrator credentials, and even personally identifiable information (PII) of service members. The intrusion has triggered a full-scale investigation in coordination with DHS and other federal agencies.

Part of a Larger Campaign on Critical Infrastructure

This cyberattack is just one part of Salt Typhoon’s broader strategy targeting U.S. critical infrastructure and government entities. The memo reveals that during 2023 and 2024, the group stole over 1,462 network configuration files across 12 sectors, including Energy, Communications, Transportation, and Water. These files contained details that could allow further network exploitation, such as account manipulation and lateral movement across systems.

Given the National Guard's dual federal-state responsibilities and integration with state-level cybersecurity systems, the breach significantly threatens interconnected infrastructure protections. In 14 states, Army National Guard units collaborate directly with state fusion centers that manage threat intelligence—including cyber threats—intensifying the potential fallout.

Military and Personnel Data Compromised

The memo outlines the specific types of data stolen during the breach: network traffic logs, geographic maps, administrator credentials, and the PII of National Guard personnel. Beyond exposing internal military operations, the intrusion could reveal cyber defense strategies and the physical and digital footprints of cybersecurity personnel, increasing the risk of future targeted cyberattacks.

The National Guard Bureau (NGB) acknowledged the attack but clarified it has not hindered any operational duties. A spokesperson emphasized that security protocols have been enacted to contain the damage, and investigations are ongoing.

Repeated Exploitation Tactics Raise Alarms

Salt Typhoon has a documented history of leveraging stolen configuration files for future attacks. Between January and March 2024, the group used similar stolen data to compromise two state government agencies. In one case, the breach led to exploitation of a vulnerable device in another federal agency, indicating a chain reaction of intrusions.

Access to such files gives attackers visibility into network structure, credentials, and security settings, enabling long-term unauthorized access and data exfiltration.

Technical Methods and Escalating Threats

Salt Typhoon’s operations rely on exploiting known Common Vulnerabilities and Exposures (CVEs) while masking its identity using leased IP addresses. Notable CVEs used include CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400. The memo urged organizations to audit systems, patch known vulnerabilities, and maintain robust logging mechanisms.

The breach's exposure coincides with the disbanding of the Cyber Safety Review Board, previously investigating Salt Typhoon's attacks on major telecom firms like AT&T and Verizon, raising concerns over diminished oversight.

As Salt Typhoon continues targeting state-level partners, experts warn the fallout could cripple U.S. critical infrastructure responses during conflicts or crises involving China.