A newly issued Department of Homeland Security intelligence memo reveals that a cyber intrusion into a U.S. state’s Army National Guard network by threat actors associated with China likely enabled access to sensitive data that could be used to target other states’ National Guard units and cybersecurity partners.
The memo, obtained by Property of the People, a national security transparency nonprofit, attributes the attack to a group publicly tracked as Salt Typhoon. It warns that the compromise, which spanned from March to December 2024, could hinder local efforts to defend critical infrastructure in the event of a crisis or conflict with China.
According to a Department of Defense report cited in the memo, Salt Typhoon collected configuration data and network traffic between the affected state’s Army National Guard and its counterparts across all other U.S. states and at least four territories. Exfiltrated data included network diagrams, administrator credentials and communications metadata, all of which could streamline future cyber intrusions across the country.
Long-Term Access Raises Strategic Espionage Concerns
Salt Typhoon has a documented history of reusing stolen network configuration files to conduct follow-on attacks. Between January and March 2024, the group reportedly exfiltrated files from multiple U.S. government and critical infrastructure entities. At least one of those files was later used to exploit a vulnerability in another government agency’s network, the memo states.
The DHS warns that these developments pose a particular threat to state-level cybersecurity resilience. Army National Guard units in 14 states are reportedly integrated with state fusion centers that handle threat information sharing, including for cyber incidents. In at least one case, the Army National Guard unit is directly responsible for defending state networks.
Access to these networks could expose data about the cyber defense posture, personally identifiable information (PII) and work locations of state cybersecurity personnel, information that could enable future targeted attacks, according to the memo.
Ensar Seker, chief information security officer at SOCRadar, characterized the year-long intrusion as a “serious escalation in the cyber domain,” noting that this was not merely an opportunistic breach. He said the extended access reflects long-term, targeted espionage, likely intended to map infrastructure, monitor communication flows and identify vulnerabilities for future exploitation.
“What’s deeply concerning,” Seker added, “is that this activity went undetected for so long in a military environment.” He emphasized that the breach raises critical questions about detection capabilities and segmentation within hybrid federal-state networks.
Cybersecurity awareness advocate Erich Kron of KnowBe4 echoed similar concerns, highlighting the broader national security implications. He noted that while the attack occurred at the state level, it still illustrates that even military organizations are vulnerable to advanced threat groups.
“This is just another example of the trouble they can cause and danger that they pose,” Kron said. He added that cyberattacks increasingly serve as key components of modern military campaigns, often synchronized with physical operations.
Kron warned that cybercrime must be treated as a 'clear and present danger,' underscoring the importance of awareness at all levels of society, from senior officials to everyday citizens. “Whether it’s stealing money from individuals to fund other operations, or trying to cripple infrastructure through cyberattacks, these bad actors are a clear and present danger,” he said.
The memo also detailed a specific 2024 incident in which Salt Typhoon used access to a state Army National Guard network to exfiltrate administrator credentials, network diagrams, a map of geographic locations and the PII of service members.
Additional guidance for detecting, preventing and mitigating similar intrusions is provided in the memo’s appendices. The DHS urges state and National Guard cybersecurity personnel to take immediate steps to assess potential exposure and strengthen defenses.
