Cyber actors, believed to be associated with the People’s Republic of China (PRC), recently attacked a United States National Guard computer network. The hacking collective known as “Salt Typhoon” compromised a U.S. state’s Army National Guard network beginning in March 2024, the Department of Homeland Security’s Office of Intelligence and Analysis warned this month. Data obtained in the breach could facilitate further hacking of Army National Guard units, as well as their state-level cybersecurity partners.
“If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict,” the memo from DHS further cautioned.
Active for Months
This is just the most recent known breach involving the Chinese hacking group, but it went unnoticed for a considerable time.
“While Salt Typhoon was detected, it had only been after the group had a foothold for 9 months,” warned Damon Small, board member at cybersecurity provider Xcape.
“There is also little detail about the Guard’s confidence that all remnants of the infiltration had been neutralized,” Small told ClearanceJobs via an email. “As the question alludes, we have no way to know that there aren’t other adversarial groups already in place. Salt Typhoon is a group that focuses on telecommunications and infrastructure to disrupt service. Their targets tend to be outside of the U.S.”
Other groups, including “Volt Typhoon,” had focused on domestic targets in an effort to achieve espionage and evade detection.
“In our opinion, it is not surprising that Salt was detected as they tend to disrupt services,” added Small. “What is truly frightening is the notion that Salt may have been the ‘tip of the spear’ that may have led to further infiltration by another group, such as Volt, that specifically evades detection and lies in wait for long periods of time.”
Salt in the Wounds
Salt Typhoon, also known alternatively as Red Mike, previously carried out a cyber espionage campaign against Western and Asian telecommunication companies. In February, the group, believed to be working at the behest of Beijing, accessed the networks of AT&T, Verizon, and Lumen Technologies, notably the systems used by federal authorities for court-approved eavesdropping.
Last October, the group carried out another attack on mobile phones from many of the same carriers. However, those attacks demonstrated that the group was adapting its tactics, as previous research had suggested it primarily conducted cyber espionage campaigns targeting government and Technology providers in North America, South and Southeast Asia, Europe, and South Africa.
Salt Typhoon has demonstrated an in-depth understanding of the targeted environments, which includes the continuous identification of exposed layers for potential reentry – as well as a multi-layered attack strategy that utilizes a combination of known tools and custom backdoors that are difficult to detect and mitigate.
The group is believed to be operated within China’s Ministry of State Security (MSS), and former NSA analyst Terry Dunlap previously described Salt Typhoon as a “component of China’s 100-Year Strategy.” Its official moniker, if it has one, is unknown. Microsoft assigned it the name “Salt Typhoon” because “Typhoon” typically indicates an origin or attribution to China. It is alternatively known as Earth Estrie by Trend Micro, Ghost Emperor by Kaspersky Lab, Famous Sparrow by ESET, and UNC2286 by Mandiant.
Regardless of its name, the group has demonstrated its ability to remain undetected for extended periods. This is a growing concern for cybersecurity researchers and providers.
“In the case of groups that engage in spying and do not use malware to do so, detecting them can be difficult,” added Small. “Groups like this tend to ‘live off the land’ and only use resources that are already available on the target systems.”
Small said not to assume that a known-good configuration is immune to attack.
“Rather, security teams must also understand the known-good behavior of their systems,” he continued. “If a system suddenly begins communicating with China, for example, that is worthy of investigation. Periodic examination of high-value systems is no longer adequate; rather, examination must be a constant activity.”
