A U.S. Department of Homeland Security (DHS) memo circulated in June revealed that a Chinese cyberespionage group known as Salt Typhoon ‘extensively compromised a U.S. state’s Army National Guard network over nine months in 2024. The memo, which cites findings from the Department of Defense, said the breach lasted from March through December and did not specify which state was targeted. It also revealed that the stolen data included administrator credentials and detailed network diagrams, basically information that could enable Salt Typhoon hackers to carry out follow-on attacks against the compromised installations.
The memo, however, noted that “If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.”
The DHS also identified that in 2023 and 2024, Salt Typhoon also stole 1,462 network configuration files associated with approximately 70 U.S. government and critical infrastructure entities from 12 sectors, including energy, communications, transportation, and water and wastewater sectors. “These configuration files could enable further computer network exploitation of other networks, including data capture, administrator account manipulation, and lateral movement between networks, according to CISA reporting and NSA guidance.”
Salt Typhoon, already tied to some of the most aggressive cyber operations against the U.S., is now believed to have gained deeper access than previously known, raising concerns that the hackers may have obtained sensitive military or law enforcement information. Federal officials are still investigating the extent of the data exposure.
A National Guard Bureau spokesperson confirmed the compromise to NBC News, but declined to share details. “While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.
The DHS revealed that between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other U.S. government and critical infrastructure entities, including at least two U.S. state government agencies. At least one of these files later informed them of a compromise of a vulnerable device on another U.S. government agency’s network.
It added that Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure. “In some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information—including cyber threats. In at least one state, the local Army National Guard unit directly provides network defense services.”
The memo also identified that Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture, as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel data that could be used to inform future cyber-targeting efforts.
According to DOD reporting, in 2024, Salt Typhoon used its access to a US state’s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.
The DHS memo surfaces as senior cybersecurity officials from the National Security Agency and the FBI report progress in disrupting Chinese cyber campaigns targeting U.S. critical infrastructure.
Speaking Tuesday at the International Conference on Cyber Security at Fordham University in New York City, experts detailed Beijing’s so-called Typhoon campaigns, where coordinated efforts involving both Chinese government entities and private sector actors aimed at infiltrating U.S. government agencies and critical infrastructure installations.
Kristina Walter, director of the NSA’s Cybersecurity Collaboration Center, focused on Volt Typhoon, an effort by Chinese actors to preposition themselves on U.S. critical infrastructure for disruptive or destructive cyberattacks in the event of a kinetic conflict centered around Taiwan.
“The good news is, they really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign,” she said.
“We, with private sector, with FBI, found them, understood how they were using the operating systems, how they’re using legitimate credentials to maintain persistence, and frankly, we equipped the entire private sector and U.S. government to hunt for them and detect them.”
Walter did not offer further details about those efforts. She said that after the NSA and other agencies released a public advisory in 2024, owners of critical infrastructure reached out to them to confirm that they had found evidence of Volt Typhoon and ask for help.
Brett Leatherman, who was recently appointed assistant director for cyber at the FBI, echoed those remarks and noted that Volt Typhoon was specifically focused on critical infrastructure centered around the U.S. Navy, particularly in island communities like Guam.
He said U.S. efforts to shine a light on the campaign forced Chinese actors to pull back, adapt their tactics, and burn previous methods they used to breach critical infrastructure systems. The publicity fostered by U.S. agencies forced Chinese groups to come up with new ways to breach organizations while also providing ways for private industry to better defend itself.
“Even if you’re not dismantling that network — we’re never going to dismantle the CCP hacking apparatus — but if you can bring real relief to victims, you’re also protecting national security by doing that, and that’s why public attribution is so important when it comes to PRC hacking activity,” he said.
Commenting on the DHS memo, Ensar Seker, CISO at SOCRadar, wrote in an emailed statement that the revelation that Salt Typhoon maintained access to a U.S. National Guard network for nearly a year is a serious escalation in the cyber domain.
“This isn’t just an opportunistic intrusion. It reflects deliberate, long-term espionage designed to quietly extract strategic intelligence. The group’s sustained presence suggests they were gathering more than just files, they were likely mapping infrastructure, monitoring communication flows, and identifying exploitable weak points for future use,” according to Seker. “What’s deeply concerning is that this activity went undetected for so long in a military environment. It raises questions about visibility gaps, segmentation policies, and detection capabilities in hybrid federal-state defense networks.”
He added that it’s another reminder that advanced persistent threat actors like Salt Typhoon are not only targeting federal agencies but also state-level components, where the security posture might be more varied.
“In a time where we are often fooled into thinking cybercrime means somebody telling us that we missed jury duty, or convincing our loved ones of a long-distance romantic relationship, we sometimes miss the fact that this is more than a game and is played at the nation state level,” Erich Kron, security awareness advocate at KnowBe4, wrote in an emailed statement. “Cybercrime has real dangers for real people and real governments as well. The Typhoon groups, several different alleged Chinese-backed cybercrime groups that carry the ‘Typhoon’ moniker as part of their name, have been known to be very stealthy and very effective. While this was at the state level with the National Guard, it still goes to demonstrate that even our military forces are at risk from these cybercrime groups.”
He added that “These criminal groups must be taken seriously, which means that everyone from senior government leadership to the average citizen needs to be at least somewhat aware of the threats, how to spot them, and who to report them to. Whether it’s stealing money from individuals to fund other operations or trying to cripple infrastructure through cyberattacks, these bad actors are a clear and present danger.”
