Experts Warn of Serious Escalation After Salt Typhoon Hacks Army National Guard Systems
A Chinese state-sponsored intrusion set off alarms in Washington this week after investigators confirmed that the hacking unit known as Salt Typhoon burrowed into a U.S. Army National Guard network for nine months and quietly siphoned off the keys to many other government systems. Defense officials briefed on a June 11 Department of Homeland Security memo say the breach represents the most dangerous incursion into a National Guard environment ever recorded.
The memo, circulated throughout the Pentagon on Monday, states that Salt Typhoon “extensively compromised a U.S. state’s Army National Guard network” between March and December 2024. During that time the attackers captured administrator credentials, full network topology diagrams, and live traffic flowing between the compromised Guard network and its counterparts in every other state and four U.S. territories.
Analysts who reviewed packet captures taken during the incident say the adversary gathered enough configuration data to assemble a step-by-step map of GuardNet – the internal ecosystem that links state Guard units to joint commands and civilian agencies.
Pentagon cyber forensics teams discovered that the attackers also harvested 1,462 network-device configuration files associated with 70 government and critical-infrastructure organizations spread across a dozen industrial sectors. Each file exposes the security posture of a router, firewall, or VPN gateway, including embedded credentials and management-interface details. One senior defense official noted that “stealing a config is the digital equivalent of pocketing the blueprints to Fort Knox.”
Why does a state-level breach matter so much? The National Guard operates under a dual federal-state mandate; Guard units defend local critical infrastructure yet also backstop U.S. combatant commands when crises erupt. Many of their cyber protection teams sit on the same fusion-center floor as state emergency managers and local power-grid operators. That proximity means GuardNet often carries data drawn from water utilities, regional hospitals, and election boards – a “treasure chest” of targets, according to a former National Security Agency liaison.
Investigators pieced together the path Salt Typhoon used to reach the Guard enclave. The attackers exploited a string of long-known network-device flaws – CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400 – to seize control of edge routers and pivot inside. Once embedded, they deployed bespoke tooling to exfiltrate configuration snapshots on a rolling basis. The tactic mirrors earlier Salt Typhoon operations against major telecoms in 2023, lending weight to assessments that the same operators carried their playbook into military networks without major changes.
Gary Barlet, a former Air National Guard communications officer and now chief technology officer at Illumino, called the episode “the clearest sign yet that the People’s Liberation Army intends to hold U.S. domestic infrastructure at risk.” He warned that administrators across the force must assume latent compromise until every router is rebuilt from gold disks and every credential rotated. Erich Kron of KnowBe4 noted that modern military operations run parallel kinetic and cyber lines of effort: “If boots step off without cyber cover, the enemy will cut their digital lifeline before the first convoy rolls.”
In interviews with Defense-Aerospace, three current Guard CISOs described a hard truth: many state armories rely on aging network gear because procurement cycles lag well behind federal programs. One officer said flatly, “Our routers are old enough to vote.” Budget shortfalls and competing mission demands often push firmware upgrades to the bottom of the queue. Salt Typhoon capitalized on that gap.
The newly disclosed memo highlights three immediate operational hazards now facing force planners:
- Command-and-control integrity. Stolen credentials give an adversary real-time access to GuardNet management planes, opening the door to service-denial or deceptive-routing attacks during domestic emergencies or overseas mobilizations.
- Cross-domain propagation. Because fourteen states route fusion-center traffic across Guard infrastructure, compromised devices could serve as springboards into civilian emergency-response systems.
- Personnel targeting. Exfiltrated location data and personally identifiable information on Guardsmen may allow hostile intelligence services to pressure individuals or spoof identity-based access controls.
The National Guard Bureau confirmed the breach but said “ongoing missions remain unaffected.” Officials did not disclose which state first fell victim, citing operational security. A senior cyber planner, however, revealed that field teams have shifted into a “restore and rebuild” posture, scrubbing every boundary firewall and segmenting traffic between logistics, personnel, and training domains.
Salt Typhoon’s interest in GuardNet comes on the heels of its long campaign against U.S. telecommunications backbones. By 2024 the unit had already infiltrated carriers that supply leased lines and secure gateways to military bases nationwide. Gaining direct access to the Guard allowed the hackers to enrich that earlier haul with sensitive routing tables – effectively merging two reconnaissance datasets into one master plan.
Ensar Seker, chief information security officer at SOCRadar, voiced concern about the dwell time: “Nine months inside a military network is an eternity in cyber terms. Every day they stayed, they learned which sensors fired and which alarms stayed silent.” Seker added that segmentation alone will not stop future intrusions because configuration files, once stolen, live forever on foreign servers.
To curb similar exploits, the memo lists priority hardening measures:
- Patch or replace any device susceptible to the four enumerated CVEs.
- Disable legacy Smart-Install and unauthenticated web interfaces on routing platforms.
- Enforce strict least-privilege roles for all network administrators, coupled with hardware-token multifactor authentication.
- Deploy flow-taps that export NetFlow records to a centralized analytics fabric for anomaly detection.
Although the memo does not state it outright, multiple defense officials argue the breach should accelerate the Pentagon’s zero-trust timeline. One official pointed to the 2022 AT&T modernization contract for GuardNet: “Hardware upgrades mean nothing if the trust model still assumes the internal network is benign.”
The political backdrop further complicates remediation. Congress last month voted to dissolve the Cyber Safety Review Board, which had opened the only formal cross-agency inquiry into Salt Typhoon’s telecom hacks. Without that body, responsibility for long-term lessons learned shifts back to individual service cyber commands – entities already swimming in incident response work.
China’s embassy in Washington denied state involvement, repeating a standard line that the United States has produced “no conclusive evidence.” Privately, U.S. officials concede attribution in cyberspace rarely meets courtroom standards, yet signal-intelligence overlays place the operators behind Salt Typhoon inside a People’s Liberation Army strategic support brigade stationed near Guangdong.
From an operational-readiness angle, the compromise lands at a precarious moment. The National Guard has taken on expanded cyber-mission sets ranging from election security to ransomware surge support. Colonel Rhonda Blake, commander of one of the first Guard cyber protection battalions, said her teams now juggle domestic-incident response while training for Pacific-theater contingencies. “If we lose integrity on GuardNet during hurricane season or during a Taiwan crisis,” she warned, “our commanders choose between fighting blind or pulling back.”
Industry sources familiar with the remediation effort say contractors have mobilized “tiger teams” to reload baseline configurations onto more than 4,000 devices nationwide. That work, however, pauses normal life-cycle projects, stretching thin the same personnel who field emerging joint-all-domain command-and-control prototypes.
Our analysis shows Salt Typhoon’s lift of GuardNet configurations completes a strategic puzzle begun in the telecom trenches. With both the external carrier view and the internal military view in hand, planners in Beijing can now script attack paths that bypass many traditional perimeter defenses and focus directly on identity stores and mission data.
The episode closes the gap between theory and battlefield reality. For years, Pentagon white papers warned that foreign actors would target reserve-component infrastructure to hobble mobilization. Salt Typhoon just demonstrated that the tactic is no longer theoretical. The question facing commanders is not whether to treat GuardNet as contested, but how fast they can build resilient command-and-control that functions under persistent compromise.
REFERENCE SOURCES
- https://federalnewsnetwork.com/federal-newscast/2025/07/salt-typhoon-hackers-compromise-a-states-army-national-guard-network/
- https://www.nbcnews.com/tech/security/national-guard-was-hacked-chinas-salt-typhoon-group-dhs-says-rcna218648
- https://www.defenseone.com/threats/2025/07/salt-typhoon-hacks-national-guard-systems-serious-escalation-experts-warn/406777/
- https://www.nextgov.com/cybersecurity/2025/07/salt-typhoon-hacks-national-guard-systems-serious-escalation-experts-warn/406765/
- https://www.securityweek.com/chinas-salt-typhoon-hacked-us-national-guard/
- https://www.darkreading.com/cyberattacks-data-breaches/salt-typhoon-hacks-us-national-guard
- https://securityaffairs.com/180018/intelligence/salt-typhoon-breach-chinese-apt-compromises-u-s-army-national-guard-network.html
- https://www.hstoday.us/subject-matter-areas/cybersecurity/u-s-national-guard-unit-was-extensively-hacked-by-salt-typhoon-in-2024-memo-says/
