In a stark reminder of the fragility of national cybersecurity defenses, the Chinese state-sponsored hacking group Salt Typhoon remained hidden within a U.S. Army National Guard network for nearly a year. Between March and December 2024, they exfiltrated sensitive network diagrams, configuration files, and administrator credentials—data that could pave the way for attacks on other government agencies and critical infrastructure sectors. This prolonged breach, detailed in a Department of Homeland Security (DHS) memo obtained by NBC, reveals how stolen network topologies serve as blueprints for broader intrusions, turning a single vulnerability into a cascading threat.

The Anatomy of the Attack

Salt Typhoon, linked to China's Ministry of State Security, has a notorious track record of targeting telecommunications giants like AT&T and Verizon. Their latest operation followed a familiar playbook: exploiting outdated vulnerabilities in networking hardware to gain initial access. Once inside the National Guard’s systems, they operated stealthily, harvesting:
- Network configuration files: Containing settings for routers, firewalls, and VPN gateways, which map out secure pathways between networks.
- Administrator credentials: Enabling future logins to interconnected state, territorial, and federal systems.
- Personal data of service members: Potentially usable in social engineering attacks.

The DHS report indicates Salt Typhoon leveraged known flaws in devices from vendors like Cisco and Palo Alto Networks, including:

  • CVE-2018-0171: A critical remote code execution bug in Cisco’s Smart Install feature.
  • CVE-2023-20198 and CVE-2023-20273: Zero-day and privilege escalation flaws in Cisco IOS XE, often chained for persistent access.
  • CVE-2024-3400: A command injection vulnerability in Palo Alto’s GlobalProtect.

IP addresses tied to these exploits include:

43.254.132[.]118
146.70.24[.]144
176.111.218[.]190
113.161.16[.]130
23.146.242[.]131
58.247.195[.]208

Why This Breach Matters

Network configurations are more than technical documents—they’re master keys. As one analyst put it:

"Stolen topology data allows attackers to bypass air-gapped networks, turning isolated breaches into systemic risks. Salt Typhoon’s theft of 1,462 files from 70 entities since 2023 shows how one compromise can fuel an entire campaign."

This incident amplifies concerns about supply chain security, where a single unpatched router in a state agency can jeopardize federal systems. Salt Typhoon has previously used similar data to spy on U.S. political communications, deploying malware like GhostSpider to monitor telecom networks. The DHS urges immediate action: patching vulnerabilities, disabling unused services, segmenting SMB traffic, and enforcing strict access controls.

The Bigger Picture

China’s embassy deflected blame, citing a lack of "conclusive evidence," but the pattern is clear. State-sponsored groups are refining their ability to dwell undetected in critical networks, exploiting delays in patch management. While the National Guard confirmed no mission disruptions, the silent exfiltration of credentials means the real damage may unfold gradually—as Salt Typhoon pivots to new targets using stolen insights. For developers and security teams, this breach is a call to scrutinize legacy infrastructure; in an era of interconnected systems, outdated code isn’t just a nuisance—it’s an invitation to adversaries who play the long game.

Source: BleepingComputer