Sensitive military data stolen: The attackers gained access to highly sensitive military and infrastructure information during the nine-month intrusion. The memo stated that “in 2024, Salt Typhoon used its access to a US state’s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.”Beyond the immediate data theft, the memo warned that Salt Typhoon’s access to these networks “could include information on state cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel”, data that could be used to inform future cyber-targeting efforts.”The compromise “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the memo noted. Established pattern of exploitation: Salt Typhoon has demonstrated a consistent methodology of using stolen network data to enable follow-on attacks. The memo noted that “Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere.”Specifically, “Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other US government and critical infrastructure entities, including at least two US state government agencies. At least one of these files later informed their compromise of a vulnerable device on another US government agency’s network.”The memo explained that access to configuration files “can provide a threat actor with sensitive information like credentials, network topology details, and security settings they need to gain and maintain access, as well as to exfiltrate data.”The document warned of serious consequences if Salt Typhoon succeeded in compromising state-level cybersecurity partners, stating it “could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.”This threat is particularly concerning given the interconnected nature of state and federal cybersecurity operations, where a breach in one system can potentially cascade across multiple networks and jurisdictions. Technical methods and vulnerabilities: The memo provided technical details about Salt Typhoon’s attack methods, noting that since 2023, the group “has exploited a number of different common vulnerabilities and exposures (CVEs) using a range of leased internet protocol (IP) addresses to mask its activity.”The document included specific CVEs exploited by the group, including CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400, along with associated malicious IP addresses.For defense against such attacks, the memo recommended that “network defenders should follow best practices to harden their network devices against cyber exploitation and to maintain proper auditing and logging of network activity.”The Department of Defense and the Army National Guard did not immediately respond to requests for comment about the breach.The memo’s release comes as the Trump administration disbanded the Cyber Safety Review Board, which had been investigating Salt Typhoon’s attacks on American telecommunications companies, potentially limiting ongoing oversight of the threat. The document warned that Salt Typhoon’s success in compromising National Guard networks could have far-reaching consequences for the US’s ability to defend critical infrastructure during a crisis or conflict with China.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4023313/salt-typhoon-hacked-the-us-national-guard-for-9-months-and-accessed-networks-in-every-state.html
