How a Chinese hacking group breached a U.S. National Guard network and exposed the fragility of America's digital defenses
By David Griffeth
In the sterile hum of a server room somewhere in America’s heartland, an enemy hid in plain sight.
For nine months—from March through December of 2024—an elite Chinese cyber unit operated undetected inside the digital infrastructure of a U.S. Army National Guard network. They didn’t deface files or demand ransom. They didn’t announce themselves with a signature. They listened. They learned. And by the time the Department of Homeland Security issued a warning in June of the following year, the damage had long since been done.
The attackers weren’t unknown to the intelligence community. They are known as Salt Typhoon, a quiet but formidable hacking group believed to be linked to China’s Ministry of State Security, or MSS. Cybersecurity firms and U.S. officials now describe Salt Typhoon as part of a larger constellation of Chinese cyber operators who blend state espionage with long-term strategic infiltration. Unlike ransomware gangs or so-called hacktivists, they do not operate for profit or visibility. Their objective is persistence—occupying high-value systems for as long as possible, in as many places as possible, without being noticed.
The breach of a National Guard network offered them exactly that.
The full scope of the intrusion has not been publicly disclosed, but according to internal sources familiar with the forensic investigation, the hackers accessed detailed architectural schematics of Guard facilities, personnel records, credentials used in secure field communications, and inter-state coordination platforms used for disaster response and military mobilization. Worse still, they moved laterally, exploiting federated trust relationships between state systems to pivot into adjacent Guard networks.
They didn’t just compromise a state—they created a template.
One source involved in the joint response effort described the breach as “the most sobering failure of cyber hygiene in a decade.” In one instance, Salt Typhoon reportedly accessed live camera feeds from a Guard logistics hub. In another, they downloaded over 1,400 configuration files from networking devices used to manage secure comms during statewide emergencies.
The hackers remained present and active from spring to winter—essentially squatting inside U.S. military infrastructure, watching from within.
Salt Typhoon had surfaced before
Salt Typhoon had surfaced before. Traces of their code, their command-and-control servers, and their malware signatures had appeared in prior investigations tied to telecom intrusions as early as 2022. In those incidents, the group exploited unpatched vulnerabilities in enterprise-grade routers and firewalls to gain access to some of the largest telecommunications networks in the United States.
By mid-2023, they had quietly infiltrated at least eight major carriers—AT&T, Verizon, Lumen Technologies, and several regional providers. The scope of that surveillance shocked even veteran intelligence officers. Salt Typhoon didn’t just gather metadata—they monitored live traffic. Texts, call logs, user authentication data. In some cases, they gained access to communications linked to high-level political figures, including then-presidential candidates and senior U.S. Senators.
One White House official, speaking off the record, described the effort as “the most significant compromise of the U.S. telecom backbone in our country’s history.” And it wasn’t over. By December 2024, a ninth telecom had been breached. Some networks remained infected well into the first quarter of 2025.
The group’s methods were as elegant as they were disturbing. They exploited unpatched software vulnerabilities—sometimes years old—in widely deployed hardware. They avoided detection by using what cybersecurity professionals call “living off the land” techniques: leveraging tools already present in the operating system to blend into routine traffic. They installed backdoors that mimicked legitimate network services and used stolen credentials to move between systems undetected.
In one case, they exploited a zero-day vulnerability—a flaw unknown to the vendor at the time—in Wi-Fi controllers used by both universities and military contractors. That gave them a foothold not only in commercial networks but in defense-adjacent environments.
Once inside, they didn’t smash and grab. They stayed. For months. Sometimes for years.
More than an act of espionage
The Salt Typhoon intrusion into the National Guard’s systems wasn’t just an act of espionage—it was a test. A proof of concept. And a warning.
Cybersecurity analysts are increasingly describing China’s strategy not in terms of theft, but in terms of pre-positioning. In other words, the goal is not necessarily to exploit a breach today, but to be ready to exploit it tomorrow. If conflict breaks out over Taiwan or another Pacific flashpoint, China’s cyber units will already be inside the systems needed for American military coordination, civilian mobilization, and infrastructure resilience.
They won’t need to breach anything. They’ll just activate what’s already in place.
Salt Typhoon is not the only player in this strategy. Another Chinese unit, Volt Typhoon, has been tied to attacks on U.S. critical infrastructure, including water treatment facilities, ports, and electric grids. In 2023 and 2024, Volt Typhoon was found burrowed inside the operational systems of American utility companies, reportedly using the same low-noise infiltration techniques as Salt Typhoon. Officials from the Department of Defense and the Cybersecurity and Infrastructure Security Agency have issued public warnings about the scope and intent of these campaigns, describing them as “preparation for potential disruption in the event of geopolitical escalation.”
This is not hypothetical. It is not theory. It is strategy in motion.
The U.S. Government response
In response, the U.S. government has made some moves—public and otherwise. In January 2025, the Treasury Department imposed sanctions on a Chinese technology firm and an individual tied to MSS-affiliated operations. Several affected telecoms have issued brief statements asserting that the intrusions have been contained. But behind closed doors, officials acknowledge that total eradication is difficult to verify—especially when attackers use native system tools and privileged credentials to maintain access.
The state affected by the National Guard breach has not been named. That opacity, while perhaps necessary to protect ongoing investigations, has bred confusion and frustration within the broader cybersecurity community. If one state can be breached for nine months, others may already be compromised—and not know it.
China’s foreign ministry, for its part, has denied any involvement in the intrusions, calling the accusations “baseless” and “politically motivated.” Its embassies have pointed to the lack of publicly released technical evidence, accusing the U.S. of waging an information campaign. Yet experts across the cybersecurity field—from government contractors to private sector researchers—widely agree: Salt Typhoon is real, and its operations bear all the hallmarks of a state-backed offensive campaign.
An unnerving approach
What makes Salt Typhoon’s approach especially unnerving is not its complexity, but its patience. These are not chaotic smash-and-leave attacks. They are silent occupations. The adversary does not want to break things—they want to learn how they work.
It is not difficult to imagine the consequences of escalation. With enough time and access, the same actors who harvested data could disable communications during a natural disaster, compromise logistics chains during a military deployment, or quietly sabotage infrastructure when it’s needed most.
And the truth is, they don’t need to do any of that to win. The mere knowledge that they could is enough to sow distrust, discredit systems, and fracture confidence in American resilience.
This is what makes nation-state hacking so corrosive. It is not just a crime—it is a strategic act of power.
The breach that should have been a watershed moment
The Salt Typhoon breach should have been a watershed moment. A full-scale alert. A public reckoning with the porousness of our digital perimeter. But it has largely passed without national debate. No congressional hearings. No primetime addresses. Just a footnote in the accelerating saga of modern cyberwarfare.
And that silence is its own kind of vulnerability.
Because if a group of state-sponsored hackers can quietly sit inside a U.S. National Guard network for nearly a year—harvesting data, mapping systems, and preparing for whatever comes next—what else might they already be inside?
We are entering an era in which wars may begin not with missiles, but with malware, and power may be projected not through fleets, but through fiber. Salt Typhoon is not an outlier. It is a preview.
The battlefield is already here. It just doesn’t look like one yet.