Salt Typhoon Breach Exposes U.S. Army National Guard Networks in 9-Month Espionage Campaign

In 2024, Chinese state-sponsored threat group Salt Typhoon compromised a U.S. Army National Guard network, maintaining persistent access undetected for nine months. The breach, confirmed in a June 2025 memo from the Department of Homeland Security (DHS), began in March and extended through December 2024, during which time the group exfiltrated sensitive materials including network diagrams, administrator credentials, and personal information of service members. According to DHS, “Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel data that could be used to inform future cyber-targeting efforts.” These actions reflect a broader pattern of long-term espionage designed to extract intelligence useful for future campaigns, particularly in a crisis or conflict scenario involving U.S. infrastructure.

The DHS memo warns that Salt Typhoon previously used exfiltrated configuration files from other U.S. state agencies to compromise unrelated federal systems. As the memo states, “Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere… At least one of these files later informed their compromise of a vulnerable device on another U.S. government agency’s network.” This reflects the potential for broad downstream impacts stemming from a single intrusion. Security analysts believe Salt Typhoon’s access extended to traffic with networks in every U.S. state and at least four U.S. territories. With 1,462 configuration files stolen from roughly 70 organizations across 12 sectors, including energy, communications, and water, the group’s activity underscores systemic exposure across both military and civilian critical infrastructure. The long dwell time and scale of access raise concerns about segmentation weaknesses and a lack of monitoring in hybrid federal-state defense environments.

DHS and DoD have recommended multiple mitigation steps for state and federal agencies. These include immediate patching of known vulnerabilities previously exploited by Salt Typhoon (e.g., CVE-2018-0171, CVE-2023-20198, CVE-2024-3400), disabling unnecessary services, segmenting SMB traffic, enforcing SMB signing, and implementing strict access controls. Agencies are also urged to rotate credentials, use strong encryption for data-at-rest, apply role-based access controls, and enforce the principle of least privilege. Detection and hardening guidance shared in December 2024 by CISA should also be reviewed. While the National Guard Bureau confirmed the breach, it stated that no federal or state missions were disrupted. However, the memo makes clear the longer-term risk: stolen credentials and network topologies could enable follow-on intrusions against both military units and state-level cyber defense partners, particularly those involved in protecting infrastructure.

Salt Typhoon’s operations form part of a larger campaign by Chinese-linked actors to quietly map and access U.S. networks, often in preparation for future disruptive cyberattacks. This mirrors broader concerns around PRC cyber actors positioning themselves to target U.S. critical infrastructure during geopolitical conflicts, such as tensions surrounding Taiwan. These findings echo previous reporting on Volt Typhoon, where U.S. agencies discovered similar prepositioning tactics aimed at island-based naval infrastructure. With federal and private sector collaboration improving, DHS and NSA officials remain focused on disrupting these campaigns and equipping defenders with the knowledge to detect and mitigate future intrusions. Nevertheless, this incident serves as a warning of the real-world impact of state-backed cyber operations at the national, state, and local levels.