Chinese state-sponsored hackers compromised the network of a state’s Army National Guard unit, collected configuration information, and tapped into its communication with other units, a Department of Defense report shows.
The nation-state threat actor, tracked as Salt Typhoon, was previously accused of hacking US telecommunications giants AT&T and Verizon, along with Lumen Technologies and other service providers in the US and abroad, to compromise wiretap systems.
Last month, the Canadian Centre for Cyber Security and the FBI warned that the APT had also targeted telecom providers in Canada, stealing configuration files and modifying one file to configure a GRE tunnel and enable traffic collection.
In a June report obtained by NBC News, the DoD warned that Salt Typhoon compromised a US state’s Army National Guard network, obtaining valuable information that could facilitate its hacking into other units’ networks and their state-level cybersecurity partners.
“If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict,” the report reads.
According to the DoD, Salt Typhoon accessed the compromised network between March and December 2024, exfiltrating configuration information and collecting data sent to and received from “counterparts’ networks in every other US state and at least four US territories”.
“This data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units,” the DoD says.
According to the report, between January and March 2024, the Chinese hackers stole configuration files for other US government and critical infrastructure organizations, including at least two state government agencies.
In 2023 and 2024, the DoD says, Salt Typhoon stole 1,462 network configuration files for roughly 70 US government and critical infrastructure entities from 12 sectors, including energy, communication, transportation, and water and waste water.
For initial access, the hackers exploited known vulnerabilities in Cisco and Palo Alto Networks edge devices, including CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400, the report shows.
The compromise of National Guard networks, the DoD says, could undermine local efforts to protect critical infrastructure against cyberattacks, as the National Guard units in 14 states are integrated with centers responsible for threat intelligence and the unit in one state provides cyber defense services.
“Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel—data that could be used to inform future cyber-targeting efforts,” the report reads.
Responding to a SecurityWeek inquiry, the National Guard Bureau confirmed it was aware of the DoD report on Salt Typhoon’s hacking.
“While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope. We are taking this matter extremely seriously. Security protocols are in place to mitigate further risk and contain any potential data compromises, and the response is ongoing. We are coordinating closely with DHS and other federal partners,” the Bureau said.
*Updated with National Guard Bureau statement and to clarify what type of information was stolen in the attacks against Canadian carriers.
Related: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
Related: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure: Report
Related: China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days
Related: US Sanctions Chinese Firm Linked to Flax Typhoon Attacks on Critical Infrastructure
