Headline
Chinese Salt Typhoon Infiltrated US National Guard Network for Months
A Department of Homeland Security memo confirms Chinese group Salt Typhoon, extensively compromised a US National Guard network for nearly a year, stealing sensitive military and law enforcement data.
A sophisticated Chinese APT group, Salt Typhoon, successfully infiltrated the US state’s Army National Guard network for nearly a year, from March 2024 to December 2024. This breach, detailed in a Department of Homeland Security (DHS) memo from June,
While this raises concerns about the security of the US military and critical infrastructure systems, the attack is not entirely unexpected. As reported by Hackread.com, infostealers, available for as little as $10, have already compromised highly sensitive systems belonging to the US military and even the FBI.
The DHS memo, which obtained its information from a Department of Defense (DOD) report and was later shared with NBC News through a freedom of information request by the national security transparency non-profit Property of the People, revealed that Salt Typhoon “extensively compromised” the network. While the specific state was not named, the attack allowed the hackers to collect vital information.
****Deep Compromise and Data Theft****
During their prolonged access, Salt Typhoon managed to gather sensitive data, including network configurations and details of data traffic with National Guard units in every other US state and at least four US territories. Critically, this stolen information also contained administrator credentials and network diagrams, which could be used to facilitate future attacks on other National Guard units.
The data stolen also included geographic location maps and personally identifiable information (PII) of service members. In some 14 states, National Guard units work closely with “fusion centres” for intelligence sharing, meaning the breach could have a wider impact, the memo noted.
****Salt Typhoon- A Persistent Threat****
It is worth noting that Salt Typhoon (aka GhostEmperor, FamousSparrow, Earth Estries and UNC2286) has a history of targeting US government and critical infrastructure sectors, including energy, communications, transportation, and water systems.
As Hackread.com previously reported, in November 2024, Salt Typhoon was linked to a significant hack of T-Mobile, highlighting vulnerabilities in telecom systems. So far, the group has compromised at least eight major US internet and phone companies, including AT&T and Verizon.
These access points were reportedly used to monitor communications of prominent political figures, including the Harris and Trump presidential campaigns and Senate Majority Leader Chuck Schumer’s office.
A June 2025 advisory from the FBI and Canada’s Cyber Centre warned of Salt Typhoon’s global campaign against telecom networks, exploiting vulnerabilities like CVE-2023-20198 in devices to steal data and maintain hidden access.
****Implications****
Given the complex nature of National Guard units, which operate under both federal and state authority, the incident may create more points for possible cyberattacks. The Department of Defence has not commented on the specifics, but a National Guard Bureau spokesperson confirmed the compromise, noting it hasn’t affected their missions.
“DHS is continuing to analyse these types of attacks and is coordinating closely with the National Guard and other partners to prevent future attacks and mitigate risk,” a DHS spokesperson said.
Meanwhile, China’s embassy in Washington spokesperson did not deny the campaign but emphasized that the US lacks conclusive evidence linking Salt Typhoon to the Chinese government. Nevertheless, cybersecurity experts recommend hardening network devices, implementing stronger password policies, and enabling strong encryption to counter such threats.
“Volt Typhoon is focused on prepositioning for disruption, and creating a deterrent effect based on this, whilst Salt Typhoon is focused on positioning for intelligence gathering,” said Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity.
“An intrusion on a National Guard isn’t a ‘military only’ operation. States regularly engage their National Guard to assist with the cyber defense of civilian infrastructure. As a target, they would be a rich source of all kinds of useful intelligence,” Casey argued.
“Intelligence informs action, so while the Volt Typhoon announcement is encouraging, it’s important to remember that we are basically playing a giant game of whack-a-mole here. Vigilance and continuing efforts towards resilience are key for domestic defenders of all types,” he advised.
Related news
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.
Among the top exploited zero-day vulnerabilities were bugs found in systems from Citrix and Cisco.
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f...
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first
By Deeba Ahmed It is unclear how long Cisco will take to release a patch. This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: IOS X Tags: remote management Tags: vulnerability Tags: CVE-2023-20198 Tags: webUI Tags: http server Tags: http secure-server Researchers have found that a recently disclosed vulnerability in Cisco IOS XE has already rendered thousands of compromised devices. (Read more...) The post Cisco IOS XE vulnerability widely exploited in the wild appeared first on Malwarebytes Labs.
Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
By Waqas Another day, another critical vulnerability hits Cisco! This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available.