Cybersecurity experts have issued a stark warning after the Salt Typhoon cyber espionage group breached a US state’s National Guard network.
According to the US Department of Defense (DoD), the group breached and laid low in the compromised network for almost a year, potentially accessing sensitive military and law enforcement data.
The DoD report, released following an FOI request by the Property of the People nonprofit, details a long-running campaign that “extensively compromised” the National Guard network from March 2024 to December last year.
As part of the breach, the Salt Typhoon is believed to have collected and exfiltrated sensitive data, including configuration files for critical national infrastructure (CNI) organizations and state government agencies.
“This data also included these networks’ administrator credentials and network diagrams — which could be used to facilitate follow-on Salt Typhoon hacks of these units,” the DoD warned.
Exact details of which National Guard unit was impacted weren’t disclosed.
Salt Typhoon has previously used exfiltrated network configuration files to “enable cyber intrusion elsewhere”, the DoD report noted. Indeed, between January 2023 and March 2024, it stole 1,462 configuration files associated with 70 US government and CNI identities spanning 12 sectors.
This included organizations in energy, communication, transportation, and wastewater.
The report concluded that Salt Typhoon’s success “could undermine local cybersecurity efforts to protect critical infrastructure”.
Salt Typhoon incident raises serious questions
The incident marks the latest in a string of high-profile attacks by the Chinese-linked cyber espionage group, including attacks on US telecoms firms AT&T and Verizon.
In December last year, White House officials warned that this particular campaign saw the group access and record private conversations of “very senior” US political figures.
Gary Barlet, public sector CTO at Illumio, said the incident once again highlights the group’s proficiency and ability to compromise US government networks.
Barlet, who served as Chief of Ground Networks for the Air Force CIO, warned “all US forces must now assume their networks are compromised,” moving forward.
“Salt Typhoon's compromise of the US National Guard is a significant event and potentially poses a serious threat to many Department of Defense systems,” he said.
“The ability of groups such as Salt Typhoon to move laterally across different units and systems is why government agencies must accelerate Zero Trust adoption and go even further with a breach containment strategy,” Barlet added.
Barlet noted that this isn’t the first breach of DoD systems in recent years. There have been “numerous” instances across the public and private sectors where sensitive information has been compromised by lateral movement.
“The Ponemon Institute highlighted that 55% of organizations admitted a compromised device had infected other devices on the network,” he added.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- How Volt Typhoon eluded detection in the US electric grid for nearly a year
- Breached for years: How long-term cyber attacks are able to linger
- China cyber threats: What businesses can do to protect themselves
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Snowflake names Chris Niederman as new channel chiefNews Chris Niederman joins the business from AWS, where he led the cloud giant’s global partner strategy and industry transformation initiatives
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
-
UK cyber experts on red alert after Salt Typhoon attacks on US telcosAnalysis The UK could be next in a spate of state-sponsored attacks on telecoms infrastructure
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
-
The US could be set to ban TP-Link routersNews US authorities could be lining up the largest equipment proscription since the 2019 ban on Huawei networking infrastructure
-
US government IT contractor could face death penalty over espionage chargesNews The IT pro faces two espionage charges, each of which could lead to a death sentence or life imprisonment, prosecutors said
-
US identifies and places $10 million bounty on LockBit, Hive ransomware kingpinNews Mikhail Pavlovich Matveev was linked to specific ransomware attacks, including a 2021 raid on the DC police department
-
Breach at US Transportation Department exposes 240,000 employee recordsNews An investigation is underway into the breach, which affected former and current employee data
-
IRS mistakenly publishes 112,000 taxpayer records for the second timeNews A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accenture
