Chinese state-sponsored group Salt Typhoon conducted a 9-month undetected cyber espionage campaign (March-December 2024) against U.S. Army National Guard networks, exploiting known vulnerabilities to exfiltrate administrator credentials, network configurations, and personnel data across all 50 states and four territories. This breach represents a strategic escalation in Chinese cyber operations, exposing critical gaps in patch management and federal-state cyber coordination while creating systemic risks to interconnected defense and critical infrastructure networks.RetryClaude can make mistakes. Please double-check responses.

CYBER INSIGHTS CYBER INSIGHTS JULY 30, 2025 JULY 30, 2025

Overview

Between March and December 2024, the Chinese state-sponsored APT group Salt Typhoon executed a prolonged and deeply embedded cyber espionage operation targeting multiple U.S. Army National Guard networks, successfully breaching at least one state’s Guard infrastructure for nearly nine months without detection.[1] During this campaign, Salt Typhoon exfiltrated highly sensitive materials including network configuration files, administrator credentials, internal traffic routing data between states and U.S. territories, geographic infrastructure maps, as well as the personally identifiable information (PII) and work locations of Guard personnel. This data not only exposed military and law enforcement networks but also introduced systemic risk to interconnected state fusion centers and National Guard units that support critical infrastructure defense and cyber threat sharing across 14 states. This intrusion, viewed by the Department of Homeland Security and Department of Defense as a strategic escalation, underscores gaps in segmentation, detection, and federal-state cyber coordination, and raises significant concerns about U.S. readiness to protect domestic infrastructure in the event of geopolitical conflict or cyber disruption campaigns led by the People’s Republic of China (PRC).

Key Findings:

  • Salt Typhoon maintained undetected access to a U.S. Army National Guard network for nine months, exfiltrating administrator credentials, network diagrams, PII of service members, and traffic flows with networks in all 50 states and four U.S. territories.
  • This campaign is part of a broader Chinese espionage effort, in which Salt Typhoon exfiltrated 1,462 configuration files from over 70 U.S. government and infrastructure entities between 2023 and 2024, providing the PRC with deep insight into American network topologies and security controls.
  • Exploitation was achieved through known CVEs and leased IP infrastructure, highlighting significant gaps in patching discipline, logging, and detection across hybrid federal-state environments.
  • Immediate Action: All organizations, whether public or private, should immediately audit external-facing services for known exploited CVEs and enforce credential hardening and MFA across remote access points.

1.0 Threat Overview

1.1 Initial Discovery

The breach carried out by Salt Typhoon—a cyber espionage group linked to the Chinese government—was not discovered through active monitoring tools, intrusion detection systems, or real-time security alerts. Instead, it was uncovered months after the intrusion had ended, identified through a Department of Homeland Security (DHS) intelligence memo on June 11, 2025, which cited findings from the Department of Defense (DoD). The memo revealed that Salt Typhoon had successfully infiltrated and remained active within the network of at least one U.S. Army National Guard unit for nine months, from March to December 2024, without being detected.

1.2 Infection Chain and Payload Execution

Salt Typhoon gained access by exploiting known vulnerabilities in widely used network devices, including VPN appliances and enterprise routers. These vulnerabilities (CVE-2023-20198 or CVE-2024-3400) allow attackers to bypass authentication or gain system-level access without needing legitimate credentials. They are often published and cataloged by organizations like NIST, but if an organization has not applied the latest security patches, these flaws remain open doors.

To conceal their origin and evade network defenses, Salt Typhoon utilized leased IP addresses, which are internet addresses rented from third-party hosting providers or virtual private server services, often located in different countries. Leased IPs enable attackers to route their traffic through seemingly benign or geographically irrelevant infrastructure, making it more difficult to trace the true source of the attack back to China. These IPs are frequently rotated or disguised to bypass geofencing rules and blocklists.

Once inside the network, Salt Typhoon avoided traditional malware, which would normally trigger antivirus or security software. Instead, they used legitimate tools, and administrative functions already present in the system—a tactic known as "living off the land." This includes using built-in services like PowerShell, Windows Management Instrumentation, or remote desktop tools to move laterally within the network. They also harvested valid user credentials, allowing them to log in and operate like authorized users.

Their objective was espionage, not disruption. Over nine months, Salt Typhoon exfiltrated a wide range of sensitive data, including:

  • Administrator credentials: usernames and passwords that allow full control over systems and networks.
  • Network diagrams: blueprints that map out how systems are connected and secured.
  • Configuration files: files that define how routers, firewalls, and other infrastructure operate.
  • Interstate data routing information: showing how this National Guard unit communicated with other states and territories.
  • Personally Identifiable Information: names, roles, and potentially locations of National Guard service members.

There was no evidence of ransomware, destructive activity, or data corruption/exfiltration, reinforcing that this was a targeted intelligence-gathering mission.

Salt Typhoon CVE Security Dashboard
CVE-2024-3400
Critical
Palo Alto PAN-OS
EXPLOITED BY SALT TYPHOON
A command injection as a result of an arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Attack Vector: Unauthenticated remote attackers can bypass authentication controls and gain root-level system access through GlobalProtect VPN endpoints, enabling complete firewall compromise.
CVE-2023-20198
Critical
Cisco IOS
EXPLOITED BY SALT TYPHOON
Cisco IOS vulnerability that allows attackers to bypass authentication and execute arbitrary commands with Privilege 15 privileges. This vulnerability is due to improper path validation, which enables attackers to reach the webui_wsma_http web endpoint without requiring authentication.
Attack Vector: Remote attackers exploit improper path validation to access administrative web interfaces without authentication, gaining full network device control and credential harvesting capabilities.
CVE-2018-0171
Critical
Cisco IOS/IOS XE
EXPLOITED BY SALT TYPHOON
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data.
Attack Vector: Attackers exploit Smart Install protocol flaws through malformed packets to cause device crashes or execute arbitrary code, potentially compromising entire network segments.
3
Critical CVEs Exploited
9
Months Undetected
54
States & Territories Affected
1,462
Config Files Stolen

2.0 Associated Threat Actors

Salt Typhoon demonstrates advanced operational maturity through its persistent presence, stealth techniques, and strategic intelligence collection targeting military and critical infrastructure networks. The group’s tradecraft—characterized by the use of leased IP infrastructure, exploitation of known CVEs, and "living off the land" tactics—indicates deliberate intent to embed within decentralized U.S. defense systems for prepositioned access. This operation aligns with broader Chinese cyber objectives aimed at weakening federal-state coordination and expanding strategic visibility into domestic defense and emergency response structures.

Attribution & Profile Salt Typhoon: People's Republic of China (PRC) state-sponsored APT group Operating under Chinese intelligence services authority. Also known as GhostSpider and FamousSparrow. Leverages "TunnelCrack" for offensive intelligence gathering. Primary Targets Focus on U.S. telecommunications, government agencies, and critical infrastructure sectors: Telecommunications Government Military Energy Transportation Water Systems Tools & Methods Living-off-the-Land: Does not use custom malware suites but instead leverages administrator tools and open-source utilities. Known to exploit public CVEs and operate with stealth rather than deploying new payloads. Focuses on persistent access and data exfiltration. Recent Major Activity Late 2024 - Early 2025 Widespread U.S. Telecommunications Breach Conducted extensive infiltration of major U.S. telecommunications providers including Verizon, AT&T, T-Mobile, and Lumen. Accessed court-authorized wiretap systems, intercepted communications of senior government officials and political figures, and maintained persistent access to telecommunications infrastructure for months. 9+ Months Active 4 Major Telecom Providers 54 States & Territories PRC State Sponsored

2.1 Incident Timeline

Salt Typhoon Attack Timeline 18-Month Cyber Espionage Campaign Against U.S. National Guard January 2024 Precursor Activity Precursor Activity Prior to the National Guard breach, Salt Typhoon exfiltrates 1,462 configuration files from ~70 U.S. government and critical infrastructure entities. March 2024 Initial Compromise Initial Compromise Salt Typhoon gains access to a U.S. state's Army National Guard network via exploitation of known CVEs and leased IP infrastructure. Mar-Dec 2024 Lateral Movement & Exfiltration (9 months) Undetected Lateral Movement & Exfiltration The group maintains covert access for 9 months, collecting administrator credentials, configuration files, network diagrams, and PII of service members. December 2024 End of Intrusion End of Intrusion Period Breach activity ceases, likely due to infrastructure rotation or operational cycle completion. June 11, 2025 DHS Memo Published DHS Memo Published Internal DHS intelligence report reveals the full scope of the intrusion, triggering interagency coordination and media coverage. July 2025 Public Disclosure Public Disclosure Begins DHS and National Guard confirm Salt Typhoon's activities publicly; cybersecurity experts issue alerts regarding scale and severity of the breach.

3.0 Technical Analysis

Salt Typhoon exploited known vulnerabilities in enterprise-grade network appliances, including those found in Cisco IOS and Palo Alto PAN-OS, to gain unauthenticated remote access without relying on malware or triggering endpoint defenses. The group used leased IP infrastructure to obscure attribution and evade geofencing and blocklists. Once inside the targeted network, attackers leveraged legitimate administrative tools already present in the environment—commonly referred to as “living off the land”—to conduct reconnaissance, escalate privileges, and exfiltrate sensitive data. This included administrator credentials, configuration files, network topology diagrams, and interstate routing data. Their operational focus was sustained intelligence collection, maintaining covert access for nine months without disrupting services or deploying destructive payloads.

DOD Cybersecurity Threat Assessment
Data Staging & Covert Exfiltration
Risk: 3.2
  • Minimized detection through staged exfiltration and encrypted data handling
  • Compromised data using 7-Zip & WinRAR with password protection
  • Small batch transfers over HTTPS or SFTP
  • Stealth via non-standard ports and hours
  • Bypassed antivirus with custom encoders
Credential Abuse & Authentication Replay
Risk: 3.5
  • Reused captured domain admin and service account credentials for system privilege and GDI access
  • Automated credential replay for lateral movement
  • Multi-hop authentication to bypass monitoring
  • High activity in Windows domain leveraging misconfigurations
Lateral Movement via Trusted Relationships
Risk: 3.4
  • Exploited trust relationships between state and federal systems
  • Moved into note-taking, fusion center, and Microsoft Teams environments
  • Used service accounts with elevated privileges
  • Demonstrated mature understanding of US intergovernmental networks
Logging Evasion & Anti-Forensics
Risk: 3.5
  • Maintained operational security through selective log manipulation
  • Used LOLBINs ("living off the land" binaries & scripts such as 'net', 'sc', 'schtasks', 'nbtstat')
  • Avoided flagged locations (Cobalt Strike, Metasploit)
  • Registry modification and selective log wipes
Multi-APT SharePoint Exploitation Campaign
CRITICAL: 4.5
Attack Methods
  • Remote Code Execution via unauthenticated deserialization and installer key
  • Hybrid espionage and ransomware operations targeting federal entities
  • Salt Typhoon's network-level appraisal with application layer exploitation
  • Domestic collection on DE-OSSERV19
Coordinating APT Groups
Linen Typhoon
Violet Typhoon
Storm-2933
Salt Typhoon (Primary Coordinator)
This assessment highlights the sophistication and coordination of current Chinese APT operations targeting critical U.S. infrastructure and federal systems.

4.0 Recommendations for Mitigation

  • Immediately patch all externally exposed systems vulnerable to CVE-2023-20198 and CVE-2024-3400 and validate via authenticated post-remediation scans. Prioritize scanning and hardening of Cisco IOS XE and Palo Alto GlobalProtect interfaces. Disable exposed management interfaces (e.g., Web UI) on WAN-facing routers and firewalls entirely if not required.
  • Isolate and restrict inter-state and inter-agency traffic routing paths between National Guard and fusion center systems to prevent propagation via compromised trust relationships. Replace flat VPN tunnels or shared routing configurations with dedicated circuit-level segmentation, enforce state-specific ACLs between peer sites, and monitor unauthorized configuration sync or device polling behavior between states.
  • Implement outbound data egress filtering and behavioral DLP tuned for slow, stealthy exfiltration of non-malicious file types, especially configuration files, XML exports, and network diagrams. Enforce checksum verification and alerting on any outbound transfer of known device backup formats or plaintext credential containers (e.g., .cfg, .bak, .netcfg, .rsc).
  • Expand patching priorities to include public‑facing enterprise apps like SharePoint and apply WAF/IPS filters, monitor ASPX POST to ToolPane[.]aspx, as well as rotate ASP[.]NET MachineKeys after remediation.
  • Rebuild trust boundaries by revoking all shared credentials, federation tokens, and configuration baselines previously synchronized between impacted and non-impacted GuardNet instances. This includes regenerating site-to-site VPN keys, rotating backup decryption passwords, and scrubbing stored configurations from upstream repositories or asset management systems that may have inherited tainted data.

5.0 Hunter Insights

The Salt Typhoon breach represents a profound escalation in state-sponsored cyber espionage, exposing fundamental weaknesses in the segmentation, patch management, and detection capabilities of U.S. federal and state defense networks. By remaining undetected for nine months (March–December 2024), leveraging known CVEs in critical network infrastructure, and using “living off the land” tactics, Salt Typhoon gained access to sensitive administrator credentials, network diagrams, and PII for Army National Guard personnel. The systemic risk created by this intrusion, compounded by its extension into data flows with state fusion centers and critical infrastructure partners, underscores the urgent need for more rigorous, federated cyber hygiene and inter-agency collaboration.

Looking ahead, we can expect sophisticated APT groups like Salt Typhoon to continue targeting hybrid federal, state, and municipal networks that support critical functions, exploiting gaps in patching and trust relationships. The future risk landscape is likely to see attackers intensifying their use of leased or temporary infrastructure to obscure attribution, as well as the blending of espionage with potential pre-positioning for disruptive actions in a crisis scenario. Organizations must move towards enforcing segmentation, hardening credential management, and monitoring for stealthy exfiltration—even of “benign” configuration files. As geopolitical rivalry intensifies, cyber defense must become as coordinated and agile as the threat actors it faces.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.