A Chinese state-sponsored threat actor known as Salt Typhoon maintained undetected access to a U.S. Army National Guard network for nine months in 2024, exfiltrating network configuration files, administrator credentials, and other sensitive data that could aid in compromising additional government infrastructure.
The breach, attributed to Salt Typhoon by the Department of Homeland Security (DHS), reportedly lasted from March to December 2024 and targeted one U.S. state’s National Guard infrastructure. According to a DHS memo obtained by NBC News, the attackers stole:
- Detailed network diagrams
- Administrator credentials
- Data traffic with networks in other U.S. states and four U.S. territories
- Personally identifiable information (PII) of service members
“Between March and December 2024, Salt Typhoon extensively compromised a US state’s Army National Guard’s network and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories,”
—DHS memo
The DHS warns that the stolen configuration files could be used to launch follow-on attacks across U.S. military and government networks, exploiting trust relationships or shared infrastructure between them.
Exploitation of Networking Device Vulnerabilities
Salt Typhoon is known to leverage unpatched vulnerabilities in network equipment, primarily targeting devices from Cisco and Palo Alto Networks. The memo cited several previously exploited vulnerabilities:
- CVE-2018-0171 – Cisco Smart Install remote code execution
- CVE-2023-20198 – Cisco IOS XE zero-day allowing unauthenticated access
- CVE-2023-20273 – Privilege escalation in Cisco IOS XE
- CVE-2024-3400 – Command injection flaw in Palo Alto’s PAN-OS GlobalProtect
IP addresses used in Salt Typhoon’s previous campaigns include:
43.254.132[.]118, 146.70.24[.]144, 176.111.218[.]190, 113.161.16[.]130, 23.146.242[.]131, and 58.247.195[.]208.
These vulnerabilities gave the attackers unauthorized access to sensitive environments, enabling the theft of internal configurations used to map and breach further infrastructure.
Pattern of Targeting U.S. Infrastructure and Government Agencies
Salt Typhoon—believed to operate under China’s Ministry of State Security (MSS)—has a history of targeting U.S. critical infrastructure and government agencies. Between 2023 and 2024, the group stole 1,462 configuration files tied to approximately 70 U.S. government and critical infrastructure entities across 12 sectors.
In one notable incident, stolen configuration files from early 2024 were later used to compromise a vulnerable device on a separate U.S. government agency’s network.
In the telecom sector, Salt Typhoon has previously breached systems belonging to AT&T, Verizon, Viasat, Charter, and others, deploying custom malware such as JumblePath and GhostSpider to surveil internal communications and target law enforcement monitoring systems.
DHS Urges Mitigation Measures
The DHS has called on National Guard and government cybersecurity teams to implement the following:
- Patch all known exploited vulnerabilities
- Disable unnecessary services
- Segment SMB (Server Message Block) traffic
- Enforce SMB signing
- Tighten access controls
While a National Guard Bureau spokesperson confirmed the breach, they noted it had not disrupted state or federal missions. Meanwhile, China’s embassy in Washington responded by claiming the U.S. has not provided “conclusive and reliable evidence” linking Salt Typhoon to the Chinese government.
This intrusion further highlights the risk posed by persistent, state-backed actors targeting weak points in critical infrastructure, particularly where legacy systems or unpatched devices expose broader government networks to long-term espionage campaigns.
