Chinese Hackers Target National Guard, Steal Network Data
▼ Summary
– Salt Typhoon, a Chinese state-sponsored hacking group, breached a U.S. Army National Guard network for nine months in 2024, stealing sensitive data like network configurations and administrator credentials.
– The group, linked to China’s Ministry of State Security, has targeted global telecom providers, including AT&T and Verizon, to access call logs and law-enforcement wiretap systems.
– The hackers exploited vulnerabilities in networking devices, such as Cisco routers, using flaws like CVE-2018-0171 and CVE-2023-20198 to gain unauthorized access.
– Between 2023 and 2024, Salt Typhoon stole 1,462 network configuration files from approximately 70 U.S. government and critical infrastructure entities across 12 sectors.
– China’s embassy did not deny the attack but claimed the U.S. lacked “conclusive and reliable evidence” linking Salt Typhoon to the Chinese government.
Chinese state-sponsored hackers infiltrated a U.S. Army National Guard network for nearly a year, stealing critical data that could compromise government systems nationwide. The cyberespionage group, identified as Salt Typhoon, remained undetected for nine months in 2024, exfiltrating network configurations, administrator credentials, and service member details.
Linked to China’s Ministry of State Security (MSS), Salt Typhoon has targeted global telecommunications firms, including AT&T, Verizon, and Lumen, aiming to access sensitive call logs and law enforcement surveillance systems. Their latest breach exposed vulnerabilities in military networks, raising alarms about potential follow-on attacks against other government agencies.
According to a Department of Homeland Security (DHS) memo, the hackers compromised a state National Guard system between March and December 2024, harvesting data that included network diagrams and inter-state communications. These stolen files could enable further intrusions into critical infrastructure, leveraging weaknesses in unpatched devices.
How the Attack Unfolded Salt Typhoon exploited outdated vulnerabilities in networking hardware, particularly Cisco routers, to gain persistent access. The group has a history of weaponizing flaws like:
- CVE-2018-0171: A remote code execution bug in Cisco’s Smart Install feature.
- CVE-2023-20198: A zero-day flaw in Cisco IOS XE allowing unauthorized device access.
- CVE-2024-3400: A command injection vulnerability in Palo Alto’s GlobalProtect firewalls.
The hackers also used custom malware, including JumblePath and GhostSpider, to maintain surveillance on compromised networks. The DHS warned that over 1,462 configuration files from 70 U.S. entities were stolen, spanning 12 critical sectors.
Response and Denials While the National Guard Bureau confirmed the breach, officials emphasized it did not disrupt operations. China’s embassy dismissed the allegations, demanding “conclusive evidence” of state involvement. Cybersecurity teams are urged to patch vulnerabilities, disable unused services, and enforce strict access controls to mitigate risks.
This incident underscores the growing sophistication of state-backed cyber threats and the urgent need for robust defenses in government and critical infrastructure networks.
(Source: BLEEPING COMPUTER)
