A newly surfaced U.S. Department of Homeland Security (DHS) memo has confirmed that a Chinese state-linked hacking group known as Salt Typhoon gained extensive, months-long access to a U.S. Army National Guard network, raising concerns not just for military cybersecurity but for the broader fabric of U.S. critical infrastructure defense.
Nine months of undetected access
According to the memo, dated June 11, 2025, Salt Typhoon infiltrated the network of an unnamed state's Army National Guard from March to December 2024, stealing administrative credentials, network configurations, internal diagrams, and personally identifiable information (PII) of service members.
Though only one state's Guard unit is named, the memo details that the breach affected communications with all 50 states and at least four U.S. territories, indicating a far-reaching intrusion. The attack was described as "extensive" and coordinated, suggesting that the compromise was strategic in nature rather than opportunistic.
More than a military target
As Bugcrowd founder Casey Ellis explained, the intrusion should not be viewed through a purely military lens. “An intrusion on a National Guard isn't a 'military only' operation," Ellis said. "States regularly engage their National Guard to assist with cyber defense of civilian infrastructure. As a target, they would be a rich source of all kinds of useful intelligence."
That intelligence is what Salt Typhoon appears to be after. While Volt Typhoon—another Chinese APT—has focused on embedding stealthily in critical infrastructure for long-term disruption, Salt Typhoon is, according to Ellis, "focused on positioning for intelligence gathering."
The DHS memo supports this, citing the exfiltration of data that could facilitate lateral movement into other connected systems or inform future attacks. The memo triggered interagency coordination between the Pentagon, DHS, CISA, and the National Guard Bureau, and mitigation steps are ongoing.
The bigger picture: a cold cyber war
"This confirms what many of us already believe," said Bryan Cunningham, President at Liberty Defense and former White House lawyer. "The U.S. and our democratic allies are already in at least a 'cold' third global conflict."
Cunningham linked the breach to a broader pattern of aggressive behavior by authoritarian states like China, Russia, and Iran—each probing or attacking Western infrastructure. "Salt Typhoon and Volt Typhoon are widely believed to be APT groups operating at the behest of the PRC," he said, describing Salt Typhoon as the "noisier" and more disruptive of the two.
"These adversaries do not respect the Law of Armed Conflict and are fully prepared to target civilian infrastructure," Cunningham warned, noting that National Guard units—even those not actively engaged in conflict—are still viewed as valid targets by cyber adversaries.
A persistent threat landscape
The Salt Typhoon breach is not an isolated incident. Chinese APTs have been linked to previous attacks on major U.S. telecommunications providers and are suspected of having access to metadata—and possibly audio—from key communication networks. The DHS memo builds on those concerns, suggesting China's cyber strategy involves pre-positioning for both intelligence and eventual disruption.
"There is a bit of a whack-a-mole element to modern cyber infiltration," Cunningham added, noting that hacker groups evolve constantly, often blending financial motives with state-backed operations. "Absent an actual shooting war, these authoritarian nations and their hacker proxies likely will test mostly around the margins… but they likely will accelerate their destructive attacks if they believe a shooting war is imminent."
Shields up: a call to action
The breach is another wake-up call for domestic cyber defenders. "Vigilance and continuing efforts toward resilience are key," said Ellis. "We are basically playing a giant game of whack-a-mole here."
Cunningham emphasized the importance of a proactive mindset among CISOs: "Organizations need to be in a 'shields up' posture, carefully monitoring their assets and staying current on evolving threats—including employee cyber hygiene training, since human error remains a major vector."
As geopolitical tensions escalate, incidents like the Salt Typhoon intrusion are likely to become more frequent, sophisticated, and challenging to detect. The question is no longer if these groups will target U.S. infrastructure, but how far they'll go once they're in.
Follow SecureWorld News for more stories related to cybersecurity.
