A previously undisclosed Department of Homeland Security memorandum says a Chinese state‑linked hacking outfit known as “Salt Typhoon” spent nine months inside one state’s Army National Guard network last year, siphoning off network maps and traffic data tied to every other U.S. state and four territories.
The memo, obtained by the transparency group Property of the People, shows that the intruders maintained access from March through December 2024, a breach that government analysts described as “extensive.” Investigators informed DHS that the compromise could hinder local efforts to defend critical infrastructure because National Guard IT systems integrate tightly with state “fusion centers” that share cyber-threat intelligence.
Neither the National Guard Bureau nor the Cybersecurity and Infrastructure Security Agency (CISA) responded to requests for comment. U.S. officials have long warned that Salt Typhoon is positioning itself to disrupt American infrastructure in the event of a conflict with Beijing.
Part of a Broader Campaign Against U.S. Communications Networks
The Guard intrusion is the latest chapter in a two‑year offensive that already shattered America’s telecommunications defenses:
- Salt Typhoon has breached at least nine U.S. telecom and backbone providers during 2023‑24, according to the White House; officials identified the ninth victim last December.
- AT&T and Verizon later acknowledged that Salt Typhoon had penetrated their systems, though both say that they had eradicated the malicious activity.
- Congress received classified briefings in December after agencies warned that Salt Typhoon actors had accessed vast troves of Americans’ phone call metadata.
- In January, the Department of the Treasury imposed sanctions on a Chinese security company, stating that it had collaborated with Salt Typhoon after identifying the same threat actors within the Treasury’s network. The department noted the group had “compromised multiple major U.S. telecommunications and internet service providers.”
- National‑security adviser Jake Sullivan said Washington had already taken “steps in response” and warned Beijing of consequences for any attempt to disable infrastructure.
- Most recently, officials identified satellite operator Viasat in June as another victim, broadening the campaign beyond terrestrial carriers.
Jessica Rosenworcel, who stepped down as chair of the Federal Communications Commission in January, called the telecom intrusions a “clarion call” that prompted new rules requiring carriers to adopt formal cyber‑risk programs.
Operational‑Security Takeaways, and a Path Forward
The combination of compromised carrier networks and inherently insecure messaging platforms creates an urgent need for organizations to implement comprehensive wireless security monitoring. Without the ability to detect anomalous cellular activity, device presence, unauthorized connections, and potential compromises, enterprises remain blind to sophisticated attacks that bypass traditional security controls.
How Bastille Can Solve This Problem
Bastille Networks’ Wireless Airspace Defense Sensor Arrays allow organizations real-time visibility and anomaly reporting into the wireless devices transmitting in their environment.
Bastille integrates into your existing SIEM solution and provides complete visibility and alerting for:
- Unauthorized cellular devices that could be exfiltrating sensitive information
- Rogue access points that could intercept wireless traffic
- Bluetooth connections that could create unauthorized data channels
- Malicious wireless connections to your network infrastructure, like those seen with the recent APT28 Nearest-Neighbor attack
Contact Bastille today to learn how your organization can secure the vulnerabilities in your wireless airspace attack surface.
