Network Security, Breach, Threat Intelligence

China-linked Salt Typhoon infiltrated state National Guard network

National Guard logo on the Pierce County Readiness Center at Camp Murray on Nov. 3, 2022. (U.S. National Guard Photo by Peter Chang)

On the same day that top officials at the National Security Agency (NSA) and FBI proclaimed that China-linked Volt Typhoon had “really failed” in its efforts to persist in U.S. domestic networks, news broke that an unspecified Army National Guard Unit was compromised for nearly a year by Salt Typhoon, another China-linked advanced persistent threat (APT) group.

“The recent developments with Salt Typhoon and Volt Typhoon highlight the relentless nature of cyber espionage and pre-positioning campaigns attributed to the People’s Republic of China,” said Morgan Wright, senior fellow at the Center for Digital Government. “These operations aren't isolated, they're part of a broader strategy to gain strategic advantages in intelligence gathering and potential disruption.”

Kevin Surace, chair at Token viewed the Volt Typhoon case as a tactical win, but not a strategic one.

“Disrupting one group temporarily limits active campaigns, but the underlying vulnerabilities remain,” said Surace. “Until organizations address the root problem — reliance on credentials and outdated authentication methods — new groups will continue to gain access using the same techniques. Eliminating an individual group is useful, but the real win comes from making the entire attack vector obsolete.”

Surace explained that both groups are China-based and operate with similar strategic goals, but employ slightly different tactics and target sets. 

Volt Typhoon primarily focuses on long-term espionage in U.S. critical infrastructure, including water facilities, utilities and communications, using stealthy living-off-the-land (LOTL) techniques and exploiting edge network devices to remain hidden for months or even years. 

On the other hand, Surace said Salt Typhoon has been more aggressive in exploiting unpatched network infrastructure and also stolen credentials, using phishing and spoofing techniques to thwart MFA, as a wat to gain deep, persistent access. The targeting of a U.S. National Guard network suggests an interest in military readiness and disaster-response operations, which could have downstream implications for both defense and critical infrastructure coordination.

“Both are believed to be affiliated with Chinese state interests, but Salt Typhoon’s operational tempo suggests a more direct intelligence-gathering mandate,” added Surace.

Nic Adams, co-founder and CEO at 0rcus, added that Beijing’s intrusion program functions as a portfolio of semi-independent contractor units. He said evicting one unit drains resources and burns tooling, but overlapping teams with shared infrastructure keep probing. Adams said Salt Typhoon’s continued activity after Volt Typhoon’s takedown illustrates that defenders face a distributed ecosystem rather than a single monolith.

“Salt Typhoon hides in plain sight by exploiting ubiquitous network gear, routing traffic through leased cloud nodes that resemble legitimate vendor updates, and reusing stolen configurations instead of dropping binaries that endpoint tools flag,” said Adams. “National Guard networks are enticing because they bridge state emergency systems and federal command channels, yielding both topology maps and credentials that open doors into downstream critical-infrastructure environments.”

Adams added that disabling Volt Typhoon is a tactical win that removes immediate risk and forces the adversary to rebuild access. However, he pointed out that we can’t declare a strategic victory until follow-on units such as Salt Typhoon are contained and the intrusion economics become prohibitive for all operators in the contractor portfolio.

Wright of the Center for Digital Government warns that now is not the time to become complacent. Wright believes Volt Typhoon will reconstitute itself and may become even more powerful as it learns from prior mistakes and improves its tradecraft. And, Salt Typhoon continues to persist, remaining tough to find and even tougher to eliminate.

“The efforts against Salt Typhoon and Volt Typhoon, and by proxy the PRC, feel Sisyphean,” said Wright. “Just as it seems we’ve pushed the rock of defending against them up the digital hill, it comes crashing back down again. The PRC is a determined adversary with extensive bench strength and private sector reachback capability.”

The Department of Homeland Security confirmed Wednesday that it updated its partners on the Salt Typhoon targeting National Guard networks, and that it will continue to work with its partners to prevent future attacks and mitigate risk.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds