A recent Department of Defense (DoD) report has revealed that “Salt Typhoon,” a Chinese state-sponsored hacking group, successfully breached the network of a US Army National Guard unit. This extensive compromise, active from March to December 2024, allowed the threat actors to collect sensitive configuration information and eavesdrop on communications with other units across every US state and at least four US territories. The stolen data included administrator credentials and network diagrams, providing a significant advantage for potential follow-on attacks against other National Guard entities and their interconnected systems.
The group, known for its persistent and sophisticated cyber espionage campaigns, has a documented history of targeting critical infrastructure.
Previously, Salt Typhoon was implicated in hacking major US telecommunications giants like AT&T, Verizon, and Lumen Technologies, specifically compromising wiretap systems. More recently, Canadian authorities and the FBI issued warnings about the group’s targeting of Canadian telecom providers to steal call records and private communications, demonstrating a consistent focus on communication networks and sensitive data.
The implications of the National Guard breach are particularly concerning. The DoD report highlights that Salt Typhoon’s access could severely hinder state-level cybersecurity partners’ ability to defend US critical infrastructure in the event of a crisis or conflict. National Guard units in many states are integral to threat intelligence sharing and cyber defense services, meaning a compromise of their networks provides adversaries with crucial insights into the nation’s defensive posture, including personally identifiable information (PII) and work locations of cybersecurity personnel.
The hackers gained initial access by exploiting known vulnerabilities in Cisco and Palo Alto Networks edge devices. Specific vulnerabilities leveraged include CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400. Beyond the National Guard, Salt Typhoon also stole 1,462 network configuration files from approximately 70 US government and critical infrastructure entities across 12 sectors, including energy, communication, transportation, and water and wastewater, between January 2023 and March 2024.
This incident underscores the ongoing and evolving threat posed by state-sponsored cyber actors to national security. The depth and breadth of Salt Typhoon’s access, coupled with their previous targeting of telecommunications and critical infrastructure, suggest a strategic effort to gather intelligence and potentially pre-position for disruptive actions. The DoD’s findings emphasize the urgent need for enhanced cybersecurity measures and vigilance across all levels of government and critical sectors to counter such persistent and sophisticated threats.
Reference:
