Officials with both the National Guard Bureau and the Department of Homeland Security (DHS) confirmed to MeriTalk today that the China-based Salt Typhoon hacking group targeted National Guard networks for attacks between March and December 2024.
These attacks have potentially far-reaching implications for the security of other National Guard unit networks and critical infrastructure entities that the guard helps to protect.
Both agencies indicated that the attacks targeted multiple National Guard networks, and that they have been working on steps to mitigate the impact of the attacks.
A report from NBC News last night broke the news of the attacks, and cited as a primary source of its reporting a June 11 memo from DHS’s Office of Intelligence and Analysis detailing the Salt Typhoon attacks. That memo lays out how extensive the blast radius of the attack may have been.
“A recent compromise of a US state’s Army National Guard network by People’s Republic of China (PRC)-associated cyber actors – publicly tracked as Salt Typhoon – likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the DHS memo says.
“If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict,” the DHS memo warns.
The memo also offers guidance to help the National Guard and state governments to detect, prevent, and mitigate against threats emanating from the Salt Typhoon attacks.
The DHS memo goes on to say that that the Salt Typhoon attacks “extensively compromised” the unnamed state National Guard’s network, “and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD [Defense Department] report.”
“This data also included these networks’ administrator credentials and network diagrams – which could be used to facilitate follow-on Salt Typhoon hacks of these units,” the memo says.
“Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere,” the memo says, adding, “Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other US government and critical infrastructure entities, including at least two US state government agencies. At least one of these files later informed their compromise of a vulnerable device on another US government agency’s network.”
“Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure,” the memo warns, adding, “In some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information – including cyber threats. In at least one state, the local Army National Guard unit directly provides network defense services.”
“DHS regularly communicates threat information with its partners and in June shared an update on the People’s Republic of China-affiliated hacking group, Salt Typhoon, targeting National Guard networks between March and December 2024,” a DHS spokesperson said today.
“DHS is continuing to analyze these types of attacks and is coordinating closely with the National Guard and other partners to prevent future attacks and mitigate risk,” the spokesperson said.
“The National Guard is aware of recent Department of Defense and Department of Homeland Security reporting regarding the Peoples Republic of China-affiliated hacking group, Salt Typhoon, and their targeting of Army National Guard networks between March and December 2024,” a spokesperson for the National Guard Bureau told MeriTalk today.
“While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.
“We are taking this matter extremely seriously,” the spokesperson said. “Security protocols are in place to mitigate further risk and contain any potential data compromises, and the response is ongoing. We are coordinating closely with DHS and other federal partners.”
At least one private sector cybersecurity expert reacted with considerable alarm to the news.
“Salt Typhoon’s compromise of the US National Guard is a significant event and potentially poses a serious threat to many Department of Defense systems,” said Gary Barlet, Illumio’s public sector chief technology officer.
“Going forward, all US forces must now assume their networks are compromised and will be degraded,” Barlet warned.
This isn’t the first breach of Department of Defense systems we’ve seen,” Barlet said. “There have been numerous instances across both the public and private sector where sensitive information has been compromised and critical systems accessed via lateral movement.”
“In fact, the Ponemon Institute highlighted that 55% of organizations admitted a compromised device had infected other devices on the network,” he said.
“The ability of groups such as Salt Typhoon to move laterally across different units and systems is why government agencies must accelerate Zero Trust adoption and go even further with a breach containment strategy,” Barlet emphasized. “It is critical that services and data remain secure even when attackers have compromised a section of the network.”
The Salt Typhoon and related Volt Typhoon hacking groups backed by the Chinese government have emerged in recent years as sophisticated threat actors. Earlier this year, a U.S. intelligence community report said that the PRC poses the biggest cyber threat to the United States.