"Following the Salt Typhoon hack, American military forces should assume their digital systems have been infiltrated"
In a series of recent activities, the Chinese-linked Salt Typhoon advanced persistent threat (APT) group has been conducting a global cyber espionage campaign, with a particular focus on telecommunications providers and critical infrastructure.
**Telecommunications Targeting**
Over the past year, Salt Typhoon has successfully breached major telecom carriers in numerous countries, including the United States and Canada. The group exploited known vulnerabilities in Cisco IOS XE network devices to gain persistent access, steal configuration files, and establish GRE tunnels for data exfiltration. In Canada, Salt Typhoon compromised three telecom devices in February 2025, retrieving configurations and setting up covert data collection channels.
**Breach of US Army National Guard Network**
In 2024, Salt Typhoon gained access to a US state’s Army National Guard network, exfiltrating administrator credentials, network traffic diagrams, maps of geographic locations, and the personally identifiable information (PII) of service members. This breach exposed sensitive details about the state's cyber defense posture, as well as the work locations and information of cybersecurity personnel, data that could be used to inform future targeting efforts.
The intrusion is described as a “serious escalation” by experts, indicating that US military networks remain high-value targets for Chinese state-sponsored cyber actors. The compromise of such networks could enable further espionage, insider threats, or even facilitate disruptive operations in the event of heightened tensions. Former officials warn that all US forces should now assume their networks are or could be compromised.
**Capabilities and Tactics**
Salt Typhoon has demonstrated advanced capabilities in exploiting unpatched vulnerabilities in widely used network devices, allowing them to move laterally within networks, harvest credentials, and maintain persistence. Their ability to configure GRE tunnels for covert data exfiltration highlights their sophistication in network manipulation.
The group is part of a broader ecosystem of Chinese cyber espionage units targeting critical infrastructure and government agencies, with close ties to China’s military and intelligence apparatus. Their activities are coordinated and persistent, aiming to gather intelligence that could support both strategic and operational goals.
**Recent Adversary Response**
Senior US cybersecurity officials have reported some success in disrupting these Chinese campaigns, although the threat remains endemic. The Department of Homeland Security (DHS) released an advisory in June 2025 detailing Salt Typhoon’s activities and urging increased vigilance across critical sectors. While officials note that parallel Chinese campaigns aimed at prepositioning for disruptive attacks have not succeeded, the broader Typhoon campaigns continue to pose a significant espionage risk.
**Implications**
The Salt Typhoon incident raises questions about local cybersecurity efforts to protect critical infrastructure. This is not the first breach of DoD systems in recent years, and Barlet, former Chief of Ground Networks for the Air Force CIO, emphasized that the Salt Typhoon compromise of the US National Guard is a significant event. He warned that all US forces must assume their networks are compromised moving forward and accelerate Zero Trust adoption and implement a breach containment strategy.
The breach potentially gave the Salt Typhoon group access to sensitive military and law enforcement data, and the Ponemon Institute reported that 55% of organizations admitted a compromised device had infected other devices on the network. The exfiltrated data included administrator credentials and network diagrams, and the Salt Typhoon group is believed to have used these configuration files to enable cyber intrusion elsewhere. In December 2024, it was revealed that the group accessed and recorded private conversations of "very senior" US political figures.
In conclusion, Salt Typhoon continues to operate as a highly capable, state-sponsored cyber espionage group with a demonstrated ability to breach sensitive US military and critical infrastructure targets. Defenders must assume that such networks are compromised and prioritize remediation and monitoring to mitigate risks.
- The Salt Typhoon APT group, known for its global cyber espionage campaign, has also focused on financial institutions, as seen in their successful breach of a US state's Army National Guard network in 2024, which resulted in the exfiltration of sensitive financial data.
- As Salt Typhoon's activities extend beyond telecommunications and critical infrastructure, there is a growing concern about their impact on general-news sectors, such as the potential access they gained to private conversations of "very senior" US political figures in December 2024.
- The advanced capabilities of Salt Typhoon, who have demonstrated the ability to exploit unpatched technology vulnerabilities and configure GRE tunnels for covert data exfiltration, may pose risks to an organization's cybersecurity infrastructure, regardless of sector.
