Salt Typhoon Storms the Guard

As I approached the end of my military career, I found myself on the cutting edge of a new battlefield: cyberspace. In my final years of service, I helped develop innovative ways to use digital networks to affect adversaries, turning bits and bytes into weapons. We knew that as we were leveraging cyberspace against our enemies, they were doing the same to us. I'm proud to now serve on this same battlefield with the rest of the OTM Cyber team. Our "battlefield" reality was highlighted when news broke of a major cyber breach involving a U.S. Army National Guard unit’s network; a breach that illuminates just how far our adversaries have gone in this domain.

The National Guard Breach: Another Front in the Cyber War

This month, we learned that a Chinese state-sponsored hacking group code-named “Salt Typhoon” had “extensively compromised” the network of a U.S. state’s Army National Guard unit. According to a Department of Homeland Security (DHS) memo, the intruders silently operated from March through December 2024, remaining undetected for nine months. During that time, they exfiltrated sensitive data, including network maps and even the “data traffic”  between the targeted Guard unit and its counterparts in “every other US state and at least four US territories”. In other words, by breaching one state-level military network, the hackers effectively tapped into communications and data exchanges across the entire National Guard footprint. This wasn’t an isolated incident or a simple website defacement; it was a deep infiltration into military infrastructure.

What exactly did the attackers steal? The DHS memo and subsequent analyses reveal a trove of controlled unclassified information (CUI) that, while not classified, is highly sensitive. Specifically, Salt Typhoon obtained:

• Internal network configurations and diagrams – blueprints of how the Guard’s computers and servers were set up, and how they connected to other states’ networks.

• Administrator credentials – the keys to the digital kingdom, like high-level login accounts and passwords for network admin systems.

• Geographic maps and operational data – including maps of locations of units and critical assets throughout the state.

• Personal information on service members and staff – the personally identifiable information (PII) of Guard personnel, such as names, roles, and possibly contact details or other personal data.

  
  

This kind of data falls under CUI because, although it isn’t classified secret or top secret, it’s information the military considers sensitive and that requires safeguarding. For example, the network diagrams and configurations reveal how to navigate the Guard’s systems; exactly the knowledge an attacker would need to move laterally through networks or plan future intrusions. Administrator credentials could allow the hackers (or others who buy or obtain that info later) to log back into these systems at will, or even access other linked networks. And while no strictly classified military networks were accessed (those are segmented on separate, more secure systems), the breach still exposed a wealth of insight into military operations and personnel. In my experience, even so-called “unclassified” military networks often hold data that can be harmful in the wrong hands. This incident starkly highlights why unclassified does not mean unimportant.

Why Unclassified Doesn’t Mean Unimportant

It might be tempting for some to dismiss a state National Guard network compromise as inconsequential since no secret battle plans or classified intel were stolen. Indeed, the Army National Guard’s classified systems (such as those used for sensitive operations) are deliberately segmented from the unclassified networks and were not accessed in this breach. But that doesn’t mean the incident isn’t a big deal. The CUI taken can be incredibly valuable. Think of personnel records, training schedules, equipment inventories, communications logs, and internal emails. In skilled hands, such data can reveal patterns and vulnerabilities.

For example, by grabbing personal data on soldiers and IT administrators, the attackers now potentially know who runs the Guard’s cyber defenses at the state level. They could use that intel to target those individuals with spear-phishing emails or other social engineering tricks, impersonating trusted contacts to infiltrate deeper systems. They might learn which soldiers have specific expertise or access, and then attempt to compromise those individuals’ personal devices or accounts. During my service, I saw how even innocuous details, like a list of names on a team or an organizational chart, could be leveraged by adversaries. Personal info becomes ammunition: hostile intelligence services can build profiles or “personas” of our service members, aiming to exploit any vulnerabilities. In the wrong context, a soldier’s home address or family details could even be used for intimidation or coercion.

Moreover, the stolen network topology diagrams and config files effectively hand the blueprint of our systems to the adversary. It’s as if a burglar not only stole valuables from a house, but also left with a copy of the floor plan and the keys, planning to come back later. The DHS memo explicitly warned that the breach “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units and possibly many of their state-level cybersecurity partners”. In other words, the attackers might use the knowledge from this one state’s Guard unit to penetrate others. This is a classic example of an advanced persistent threat (APT): establish a foothold, quietly gather intelligence, and then exploit it to expand access further.

From my perspective, this incident shatters any false sense of security about “Oh, it’s just an unclassified network.” Controlled Unclassified Information can include things like operational plans marked FOUO (For Official Use Only), internal procedural memos, or contacts for inter-agency communication, none of which you’d want a foreign adversary reading. The National Guard breach proves that determined hackers will gladly collect and weaponize any information they can get. And when that adversary is a nation-state like China, we must assume they have virtually limitless storage and analytic capability to make use of our data down the road.

The Adversary’s Playbook: Gather Today, Exploit Tomorrow

What do the intruders ultimately want? U.S. officials describe Salt Typhoon as a Chinese state-sponsored hacking group specializing in long-term espionage. Patience and stealth are their hallmarks. Rather than smash-and-grab attacks or immediate ransom demands, groups like Salt Typhoon prefer to maintain covert access for months or even years, quietly observing and siphoning information. The National Guard breach is a perfect case study: nine months of undetected access is a staggering duration by cybersecurity standards. It suggests the attackers were careful to blend in with normal network traffic, use stolen credentials, and perhaps avoid noisy malware or disruptive actions that would set off alarms.

Their goals go beyond just spying on day-to-day communications. According to U.S. intelligence assessments, Salt Typhoon (and other Chinese APT groups with similar tactics) are engaged in “prepositioning”, a strategy of planting digital footholds and mapping out target networks in case of a future conflict. One Reuters report noted that the group appears to be preparing to “paralyze U.S. critical infrastructure in case of a conflict with China,” rather than merely gathering intel. In plainer terms, they’re like saboteurs who infiltrate a power station and study its layout well before any war, so that when commanded, they can disrupt power at the most critical moment. Cyberspace offers the perfect means to do this quietly on a massive scale.

We’ve already seen hints of these ambitions. Salt Typhoon was previously connected to breaches of major U.S. telecommunications providers (like AT&T and Verizon) and even surveilling the communications of political figures. In one startling example, the hackers reportedly monitored text messages and phone calls of high-profile Americans in real-time. This indicates that their appetite isn’t limited to military networks; it spans telecom, government agencies, critical infrastructure sectors, and even the democratic process. The National Guard attack extends that pattern into the realm of the military’s domestic units, blurring the line between peacetime espionage and preparation for potential wartime cyber strikes.

From my vantage point as someone who has worked on U.S. cyber operations and continues to work on cybersecurity for critical infrastructure, I recognize many of Salt Typhoon’s tactics. They conduct reconnaissance by stealing configuration files and diagrams (to know the target environment). They steal credentials (to impersonate authorized users and maintain persistence on the network). They probably set up backdoors or tunneling channels. For instance, some reports note Salt Typhoon has used modified network devices to secretly route traffic out for collection. And notably, they choose targets that serve a strategic purpose: the National Guard may seem like a softer target than, say, active-duty military networks or the Pentagon, but compromising the Guard can indirectly grant access or insight into critical infrastructure defense and inter-agency coordination. It’s a stepping stone with a big payoff.

The “harvest now, exploit later” approach is consistent with many other Chinese cyber campaigns we’ve seen. A well-known parallel is Volt Typhoon, another hacking operation revealed in 2023, which infiltrated various U.S. critical infrastructure installations (power grids, communications, transportation) and tried to remain quietly embedded. The idea was that if a crisis erupted, for example, over Taiwan, those implanted bugs could be activated to disrupt U.S. operations at the worst possible time. Thankfully, that particular campaign was exposed and disrupted before it could do more damage. But Salt Typhoon’s enduring presence in a Guard network for nearly a year shows that these threat actors are continually adapting and looking for other ways in. They are playing a long game, and every piece of network knowledge or stolen data is a potential puzzle piece for a larger, dangerous plan.

Targeting Soldiers and Identities – The Human Cost

One particularly sinister aspect of the National Guard breach is the exposure of our people. The inclusion of service members’ PII in the stolen data isn’t just a privacy concern, it’s a security concern. When an adversary like China’s cyber operators gather names, ranks, positions, and even personal details of our Guardsmen and women, they are effectively compiling a target list. The DHS memo specifically noted that Salt Typhoon likely obtained data on the state cybersecurity personnel and even their work locations, information that could inform future cyber-targeting efforts.

Why does this matter? Consider a few scenarios. With a list of key IT admins and commanders, a foreign intelligence service could send extremely convincing phishing emails to those individuals; emails tailored with personal details to appear legitimate. If even one of those people is tricked into clicking a malicious link, the attackers can regain access despite any password changes or network clean-up done after the initial breach. Alternatively, the adversary could attempt to socially engineer these personnel by contacting them under false pretenses (perhaps posing as a higher headquarters or a familiar agency) to extract more information or credentials. In a more dire scenario, during a geopolitical crisis, those individuals could be personally threatened or extorted using information gleaned about them or their families, a classic espionage tactic, supercharged by data theft.

There’s also the angle of military deception and influence operations. If Salt Typhoon stole data about Guard unit deployments, training, or even something like the roster of soldiers in a cybersecurity exercise, that information could feed into disinformation campaigns. For instance, adversaries could fabricate messages or leaks targeting specific service members or their communities to erode trust, knowing exactly who to impersonate or which internal emails to reference. By assembling detailed “personas” of our soldiers, essentially profiles of their digital and personal lives, threat actors can better mimic or manipulate those personas online.

In my years wearing the uniform, I often heard the phrase “security is everyone’s responsibility.” This breach drives that home. It’s not only the network administrators or intelligence officers who need to worry; every soldier in that compromised unit could potentially feel the effects. If you’re a Guardsman whose data was in that network, you might now be a target for foreign hackers in your personal life. We’ve seen cases (like the 2015 OPM data breach) where Chinese hackers amassed millions of federal employees’ records, presumably to identify people in sensitive roles or with exploitable weaknesses. The National Guard breach is a smaller-scale version of that playbook, focused on military personnel who might play crucial roles in a cyber crisis here at home.

From State Networks to National Security

One of the most striking lessons from the Guard cyber intrusion is how a breach in a state-level unit can reverberate nationally. The Army National Guard occupies a unique dual role, under state governor control for local missions on one hand, and under federal orders for national missions on the other. This hybrid position means Guard units often serve as a bridge between military and civilian infrastructures. Many Guard cyber units and intelligence teams work closely with state agencies, local law enforcement, and fusion centers (information-sharing hubs that combine federal, state, and local threat data). In fact, Guard cyber units in 14 states are integrated with state fusion centers to share threat information. This integration is usually a strength; it helps get all hands on deck to defend against cyber threats and coordinate responses. But as the DHS memo observed, if an adversary compromises those very units, it “could undermine local cybersecurity efforts to protect critical infrastructure”.

Imagine a scenario where a hurricane hits a coastal state and the National Guard is mobilized for disaster response. Those Guard networks might be connected to emergency management systems, police and fire communications, and even utility company networks (for coordinating recovery of power and water). If a hacker has already mapped out those connections and installed backdoors, they could choose that chaotic moment to disable communications, spread false information, or hamstring the responders. The memo explicitly warned that in a crisis or conflict, a compromised Guard unit could have its cybersecurity partners hamstrung; a chilling thought when you consider that could mean blinding the very folks who defend our power grids or hospitals.

This is why I argue the National Guard breach is a national security threat, plain and simple. It’s not about one state’s data; it’s about the interconnectedness of our defenses. In military terms, the Guard networks were a soft target, not as heavily fortified as, say, a Pentagon network, and the Chinese hackers expertly exploited that. By doing so, they potentially gained indirect access to information on critical infrastructure across multiple states, as well as insight into how state and federal entities coordinate cybersecurity. The breach “raises the stakes significantly,” as one analysis put it. It exposed that state-level military structures are not adequately hardened against persistent nation-state adversaries.

For someone like me, who served both in uniform and in the cyber realm, this is a bit of a personal blow. I take pride in how our National Guard supports local communities, whether it’s sending cyber experts to help a county recover from a ransomware attack or manning the operations centers during wildfires and floods. Knowing that an adversary prowled inside a Guard network for so long makes me wonder: What if they had used that access at a critical moment? Would we have caught them in time? The fact that this breach reportedly “went undetected for so long in a military environment” even prompted experts to question our visibility and segmentation policies in these hybrid networks. In short, it revealed a gap in our armor that must be addressed.

Bolstering Our Defenses and Looking Forward

Uncovering this breach is painful, but it’s also a wake-up call. It’s a reminder that cyber defense is not solely the domain of obscure IT folks in windowless rooms; it’s a responsibility that extends from the highest levels of government down to each user. Senior cybersecurity officials have noted that Chinese hacking groups like the Typhoon series are “very stealthy and very effective”, and that even our military forces at the state level are at risk. Clearly, we need to take these threats seriously at all levels. So, what can be done?

For starters, improving detection and response on these state-federal hybrid networks is crucial. If a threat actor is inside your network for months, that indicates a failure of traditional security tools that rely on known malware signatures or perimeter defenses. We need more widespread use of advanced monitoring that can catch unusual patterns, for example, an admin login at 3 AM from an unfamiliar location, or a system suddenly bundling up large configuration files to an external server. The concept of Zero Trust should be more fully embraced: assume any user or device might be compromised and continuously verify credentials and behavior. Some security experts have pointed out that relying on perimeter firewalls isn’t enough when hackers operate within the network using legitimate credentials. Techniques like endpoint detection and response (EDR), network segmentation down to smaller subnets, and strict least-privilege access controls for admin accounts can limit how freely an intruder can roam.

Another lesson is the importance of cyber hygiene and training. If Salt Typhoon initially got in via something like a phishing email or an unpatched server, that’s something we could work to prevent. Regular security drills, phishing simulations, and rigorous patch management in Guard units might stop the next intrusion at the gate. Each soldier and civilian on these networks needs to be aware that clicking the wrong link or using a weak password could be the opening an enemy needs. It sounds almost trite, but in cyber warfare, the human element is often the weakest link and also our first line of defense.

Finally, this breach underscores the need for greater coordination between federal and state cybersecurity efforts. The fact that the National Guard Bureau had to confirm this attack and investigate its scope means we’re already in a reactive posture. We should be sharing threat intelligence in real-time between agencies, state units, and private sector partners. If a Guard unit in one state is compromised, there should be an alarm bell that prompts other states to check their systems for similar signs (especially since the data taken could help hack those other states). I’m heartened to see that the NSA and FBI have been working on disrupting these Chinese campaigns and shining a light on them. Public advisories in 2024, for instance, helped organizations hunt for Volt Typhoon infections. We need the same level of vigilance and transparency now for Salt Typhoon’s activities.

In conclusion, the National Guard cyber breach is more than just a startling headline; it’s a glimpse into the future of conflict and a reflection of the present reality of espionage. The battlefield has expanded from land, sea, and air to include the networks we rely on every day. As someone who has served on that new battlefield, I find it equal parts alarming and validating: alarming, because we expect our defenses to do better; validating, because it reinforces why we invested so much effort in cyber capabilities in the first place. We’re in a race; a quiet, complex arms race in cyberspace where our networks and data are the prizes.

This time, a National Guard unit was the target. Next time, it could be a power grid, a financial system, or a weapons platform. The lesson for all of us, whether you’re a tech-savvy reader or just a concerned citizen, is that cybersecurity is national security. The soldiers on the digital front lines need our support, our awareness, and yes, sometimes our patience when they enforce annoying security protocols, because they’re trying to stop intrusions like this. The Typhoon may have hit us quietly, but with vigilance and improved defenses, we can weather the storm and ensure that next time, the intruders are detected and evicted long before they ever reach our critical assets.

Sources

https://www.reuters.com/world/us/us-national-guard-unit-was-extensively-hacked-by-salt-typhoon-2024-memo-says-2025-07-15/#:~:text=The%20memo%20obtained%20by%20Property,at%20least%20four%20US%20territories

https://securityaffairs.com/180018/intelligence/salt-typhoon-breach-chinese-apt-compromises-u-s-army-national-guard-network.html#:~:text=%E2%80%9CBetween%20March%20and%20December%202024%2C,Typhoon%20hacks%20of%20these%20units%E2%80%9D

https://industrialcyber.co/critical-infrastructure/dhs-salt-typhoon-hackers-breached-army-national-guard-exposing-admin-credentials-and-network-diagrams/#:~:text=According%20to%20DOD%20reporting%2C%20in,PII%20of%20its%20service%20members

https://sentrybay.com/national-guard-data-breach-by-state-sponsored-cyber-espionage/#:~:text=This%20mirrors%20a%20growing%20trend,active%20endpoint%20monitoring%20and%20prevention

https://www.wired.com/story/chinas-salt-typhoon-hackers-breached-the-us-national-guard-for-nearly-a-year/#:~:text=The%20Chinese%20state,of%20the%20People%2C%20that%20warned