A Chinese state-sponsored threat actor known as Salt Typhoon has been confirmed to have infiltrated the network of the US Army National Guard for nine months. According to the Department of Homeland Security (DHS), the hackers were present in the networks between March and December 2024, during which time they stole sensitive data and personally identifiable information (PII) of service members.
The group, which is part of the wider “typhoon” organization that includes Brass Typhoon, Volt Typhoon, and others, is known for exploiting existing vulnerabilities (CVEs) in Cisco’s routers and similar hardware. This tactic has been used in recent attacks against top Canadian telecom firms and US networks, including AT&T, Verizon, Lumen, Charter, Windstream, and Viasat.
The goal of the campaign was to gain access to critical organizations within the US, including government, military, and defense organizations, in case tensions between the US and China over Taiwan escalated into a full-blown war. By having a presence in these networks, Salt Typhoon would have the ability to disrupt networks and steal key intelligence.
During their nine-month presence in the National Guard’s network, the hackers were able to steal vital intelligence, administrator credentials, network traffic diagrams, geographical maps, and PII. They also had access to data traffic between the state’s network and every other US state, as well as at least four additional territories. This means that they could have potentially pivoted to other networks, compromising even more government and military targets.
The breach was not discussed in detail, but DHS did mention that the group is known for targeting unpatched Cisco routers and deploying custom malware like JumblePath and GhostSpider. These tactics have been used in previous attacks and have proven to be successful for Salt Typhoon.
This recent attack on the US National Guard raises concerns about the security of government and military networks and highlights the need for stronger cybersecurity measures. It also serves as a reminder for organizations to regularly update and patch their systems to prevent vulnerabilities from being exploited.
In response to the news, the US Government has issued a warning to all organizations to be on high alert for potential cyber threats. They are also urging companies and individuals to practice good cybersecurity hygiene, such as using strong and unique passwords, implementing multi-factor authentication, and regularly backing up important data.
This breach also serves as a reminder for individuals to be cautious and vigilant about their personal information and to regularly monitor their credit reports for any suspicious activity.
The news of Salt Typhoon’s infiltration into the US National Guard’s network has caused concern among experts, who believe that the group’s ultimate goal is to gain access to critical infrastructure and potentially disrupt vital services in the event of a conflict between the US and China.
As this story continues to develop, experts are urging organizations to take immediate action to secure their systems and prevent future attacks. It is clear that Salt Typhoon is a highly sophisticated and persistent threat that should not be taken lightly.
In addition to the National Guard breach, Salt Typhoon has also been linked to recent attacks on top satellite communications company Viasat, further highlighting the widespread reach and impact of this group.
As the threat of cyber attacks continues to grow, it is crucial for organizations and individuals to stay vigilant and take necessary precautions to protect themselves from malicious actors like Salt Typhoon.