US National Guard Network Breached by Chinese ‘Salt Typhoon’ Hackers for Almost a Year

A sophisticated Chinese cyberspy group known as Salt Typhoon penetrated at least one state’s National Guard network for nearly ten months, accessing sensitive military and law enforcement information in what represents a significant escalation of Beijing’s cyber operations against American defense infrastructure.

The breach, which occurred from March 2024 to December 2024, highlights the persistent and evolving threat posed by state-sponsored hackers targeting critical military networks.

Extensive Network Compromise Reveals Sensitive Data Access

The Department of Defense investigation revealed that Salt Typhoon hackers gained extensive access to the compromised National Guard network, obtaining geographic location maps, internal network diagrams, and personal information of service members.

A Department of Homeland Security memo from June 2024 detailed the severity of the breach, noting that the attackers had “extensively compromised a U.S. state’s Army National Guard network.”

The technical implications of this breach extend beyond the immediate target. The hackers accessed detailed network architecture information that could potentially facilitate attacks on other state National Guard units and their cybersecurity partners.

Given that National Guard units in 14 states collaborate with law enforcement “fusion centers” for intelligence sharing, the compromise potentially exposed broader state-level security operations.

The breach’s duration nearly a full year allowed the attackers to establish persistent access and conduct thorough reconnaissance of the target network.

This extended timeline is consistent with Salt Typhoon’s operational methods, as security firm Cisco reported that the group has maintained a presence in some compromised environments for up to three years.

Salt Typhoon’s Expanding Campaign Against US Infrastructure

Salt Typhoon has emerged as one of China’s most formidable cyber espionage groups, demonstrating a remarkable ability to pivot between different types of targets.

The group had previously infiltrated at least eight major US telecommunications companies, including AT&T and Verizon, using that access to monitor communications of both the Harris and Trump presidential campaigns, as well as the office of Senate Majority Leader Chuck Schumer.

The group’s persistence makes complete remediation a challenging task.

While AT&T announced in December 2024 that they appeared to be no longer affected, and Verizon claimed to have “contained” their incident in January 2025, neither company guaranteed full protection against future intrusions by the same actors.

In response to the ongoing threat, the Treasury Department sanctioned a Sichuan-based company in January 2025 for allegedly supporting Beijing’s Ministry of State Security in conducting Salt Typhoon operations.

However, China’s embassy in Washington has disputed attribution claims, stating that the US “has been unable to produce conclusive and reliable evidence” linking Salt Typhoon to the Chinese government.

Despite the compromise, National Guard Bureau officials confirmed that the attack has not prevented the National Guard from accomplishing assigned missions. At the same time, investigations continue to determine the full scope of the breach.