Salt Typhoon Chinese APT Compromises U.S. Army National Guard Systems, Exposing Admin Credentials and Network Diagrams

Salt Typhoon, a People's Republic of China state-sponsored advanced persistent threat group assessed to be operated by China's Ministry of State Security (MSS), has been confirmed to have breached U.S. Army National Guard communications systems, exposing administrative credentials and internal network topology diagrams. The DHS-attributed intrusion adds a military dimension to what had previously been characterized primarily as a telecommunications espionage campaign.

The broader Salt Typhoon campaign — active since at least 2023 and first publicly disclosed in September 2024 — penetrated at least nine major U.S. telecommunications providers including Verizon, AT&T, and T-Mobile, compromising lawful intercept infrastructure used by federal law enforcement and intelligence agencies. The group employed living-off-the-land techniques, exploiting legitimate network protocols including GRE tunneling, SSH key injection, and Cisco IOS Guest Shell containers to maintain long-term covert access while evading conventional endpoint detection.

The National Guard breach elevates the threat profile of the campaign from pure intelligence collection to potential pre-positioning against military communications infrastructure. Administrative credentials and network diagrams obtained in such an intrusion would provide adversaries with a detailed map of Guard communications architecture, enabling future disruptive operations during a crisis scenario — precisely the pre-conflict sabotage posture that U.S. intelligence has identified as Beijing's strategic objective under the Volt Typhoon parallel campaign.

The intrusion has drawn intensified congressional scrutiny. Senator Maria Cantwell formally demanded a complete inventory of vulnerabilities exploited by Salt Typhoon actors along with documented evidence that the group had been fully ejected from affected networks. As of February 2026, more than 80 countries across multiple sectors including government, hospitality, and critical infrastructure have been confirmed as Salt Typhoon targets. The campaign's breadth and the concurrent reduction of CISA's Integrated Operations Division workforce — cut by nearly a third — have raised serious concerns within the cybersecurity community about the federal government's capacity to sustain coordinated response.