The FBI and Department of Defense (DoD) revealed that **Salt Typhoon**, a Chinese state-sponsored hacker group linked to the Ministry of State Security and People’s Liberation Army, conducted a **long-term cyber-espionage campaign** against a US state National Guard network. The group **breached the network and remained undetected for nearly a year**, exfiltrating **sensitive military and law enforcement data**. The attack involved **compromising backbone routers and networking equipment** via known vulnerabilities, altering access controls, creating privileged accounts, and enabling remote management for **persistent, long-term access**. The primary objective was **surveillance and intelligence gathering** rather than financial gain, targeting **telecom carriers, government organizations, military infrastructure, and healthcare sectors**. The scale of the campaign was **far broader than initially assessed**, with at least **60 organizations across 80 countries** affected. The FBI warned that the indiscriminate targeting of private communications poses a **severe threat to national security**, urging immediate collaboration with global partners to counter the activity. The DoD confirmed the group’s ability to **move laterally across networks**, leveraging trusted connections to pivot into other systems, further amplifying the risk of **data exfiltration and operational disruption** in critical infrastructure.
TPRM report: https://www.rankiteo.com/company/united-states-army-reserve
"id": "uni0902209091025",
"linkid": "united-states-army-reserve",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Defense',
'location': 'United States',
'name': 'Unnamed US State National Guard',
'type': 'Government/Military'},
{'industry': 'Telecommunications',
'location': 'Global (80 countries)',
'name': 'Multiple Telecommunications Providers (60+ '
'organizations)',
'size': ['Large enterprises',
'Critical infrastructure providers'],
'type': 'Private/Public'},
{'industry': 'Healthcare',
'location': 'United States (and possibly global)',
'name': 'Healthcare Organizations (potentially '
'impacted)',
'type': 'Private/Public'}],
'attack_vector': ['Exploitation of known vulnerabilities in networking '
'equipment',
'Compromised trusted devices/connections',
'Modification of router access control lists (ACLs)',
'Creation of privileged accounts',
'Enablement of remote management interfaces',
'Lateral movement via pivoting'],
'customer_advisories': ['Organizations using telecommunications services from '
'affected providers should inquire about mitigation '
'measures.',
'Healthcare entities should verify third-party '
'network security postures.'],
'data_breach': {'data_exfiltration': ['Confirmed in US National Guard case',
'Likely in other telecom targets'],
'sensitivity_of_data': ['High (national security '
'implications)',
'Confidential (military/law '
'enforcement)'],
'type_of_data_compromised': ['Military data',
'Law enforcement data',
'Telecommunications traffic',
'Potentially healthcare data']},
'date_publicly_disclosed': '2024-10-01T00:00:00Z',
'description': 'The FBI has issued a security advisory warning that the Salt '
'Typhoon hacker group (linked to Chinese state-sponsored '
'entities) is escalating global attacks. The group targets '
'telecommunications providers (including backbone, PE, and CE '
'routers), government organizations, military infrastructure, '
'and healthcare entities. They exploit known vulnerabilities '
'in networking equipment to gain persistent access, modify '
'routers, and exfiltrate sensitive data for espionage '
'purposes. At least 60 organizations across 80 countries have '
'been affected, with long-term compromises (e.g., a US '
'National Guard network breached for nearly a year). The '
'campaign focuses on surveillance and spying rather than '
'financial gain.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in '
'telecommunications providers',
'Concerns over national security '
'implications'],
'data_compromised': ['Sensitive military data',
'Law enforcement data',
'Telecommunications metadata',
'Potentially healthcare data'],
'operational_impact': ['Long-term persistent access (up to 1 year '
'in some cases)',
'Lateral movement across networks'],
'systems_affected': ['Backbone routers of major telecommunications '
'providers',
'Provider Edge (PE) routers',
'Customer Edge (CE) routers',
'US National Guard networks (unnamed state)',
'Healthcare organization networks '
'(indirectly)']},
'initial_access_broker': {'backdoors_established': ['Modified router ACLs',
'Privileged accounts',
'Remote management '
'interfaces'],
'entry_point': ['Known vulnerabilities in '
'networking equipment (routers)',
'Compromised trusted devices'],
'high_value_targets': ['Telecommunications backbone '
'infrastructure',
'Government/military '
'networks',
'Healthcare systems '
'(indirectly)'],
'reconnaissance_period': ['Extended (group active '
'since at least 2019)',
'Long-term dwell time '
'(e.g., ~1 year in '
'National Guard case)']},
'investigation_status': 'Ongoing (FBI/CISA/DoD leading investigations; '
'victims encouraged to report)',
'lessons_learned': ['State-sponsored APT groups like Salt Typhoon prioritize '
'stealth and persistence over financial gain.',
'Telecommunications infrastructure is a high-value target '
'for espionage due to its role in global communications.',
'Compromised networking equipment can serve as a pivot '
'point for lateral movement into other critical sectors '
'(e.g., military, healthcare).',
'Long-term compromises (e.g., nearly a year in the '
'National Guard case) highlight the need for continuous '
'monitoring and anomaly detection.'],
'motivation': ['State-sponsored espionage',
'Surveillance',
'Intelligence gathering',
'Military/law enforcement data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Mandatory patching '
'timelines for networking '
'equipment in critical '
'infrastructure',
'Enhanced logging and '
'anomaly detection for '
'router configurations',
'Cross-sector collaboration '
'to share threat '
'intelligence on APT groups '
'like Salt Typhoon',
'Regular audits of '
'privileged accounts and '
'remote access '
'capabilities'],
'root_causes': ['Unpatched vulnerabilities in '
'critical networking equipment',
'Insufficient monitoring of router '
'configurations and ACL changes',
'Lack of segmentation between '
'telecommunications and other '
'critical infrastructure networks',
'Delayed detection due to '
'stealthy, long-term persistence '
'tactics']},
'recommendations': ['Patch known vulnerabilities in networking equipment '
'(especially routers) immediately.',
'Audit and harden access control lists (ACLs) on critical '
'infrastructure devices.',
'Disable remote management interfaces unless absolutely '
'necessary.',
'Implement network segmentation to limit lateral '
'movement.',
'Monitor for unusual privileged account creation or '
'modifications to router configurations.',
'Report suspected compromises to the FBI or local law '
'enforcement promptly.',
'Healthcare organizations should aggressively scan for '
'indicators of compromise (IoCs) related to Salt Typhoon.',
'Collaborate with telecommunications providers to detect '
'and mitigate supply chain risks.'],
'references': [{'date_accessed': '2024-10-01',
'source': 'FBI/CISA Joint Cybersecurity Advisory (2024)'},
{'date_accessed': '2024-07-01',
'source': 'Department of Defense (DoD) Report on National '
'Guard Breach'},
{'date_accessed': '2024-10-01',
'source': "ITPro Article: 'Salt Typhoon attacks worse than "
"previously thought'",
'url': 'https://www.itpro.com/security/fbi-warns-salt-typhoon-hackers-are-ramping-up-attacks-globally'},
{'date_accessed': '2024-10-01',
'source': 'American Hospital Association (AHA) Statement by '
'John Riggi'}],
'regulatory_compliance': {'regulatory_notifications': ['FBI/CISA Joint '
'Cybersecurity '
'Advisory']},
'response': {'communication_strategy': ['Public advisory via FBI/CISA',
'Encouragement for victims to report '
'to local FBI offices'],
'containment_measures': ['Joint Cybersecurity Advisory '
'(FBI/CISA) with detection/mitigation '
'guidance',
'Guidance from late 2024 for improved '
'visibility'],
'enhanced_monitoring': ['Recommended for early detection of '
'malicious activity'],
'incident_response_plan_activated': ['FBI Cyber Division',
'CISA (Cybersecurity and '
'Infrastructure Security '
'Agency)'],
'law_enforcement_notified': ['FBI (local field offices)',
'DoD (Department of Defense)'],
'network_segmentation': ['Recommended as a mitigation strategy'],
'remediation_measures': ['Identify and patch vulnerable '
'networking equipment',
'Audit access control lists (ACLs) on '
'routers',
'Remove unauthorized privileged '
'accounts',
'Disable unnecessary remote management '
'interfaces']},
'stakeholder_advisories': ['FBI urges telecom providers to review router '
'configurations and audit privileged accounts.',
'DoD advises military and defense contractors to '
'monitor for Salt Typhoon IoCs.',
'AHA recommends healthcare organizations take '
'aggressive action to detect and remediate '
'potential compromises.'],
'threat_actor': [{'affiliation': ['Chinese Ministry of State Security (MSS)',
'People’s Liberation Army (PLA)',
'Sichuan Juxinhe Network Technology',
'Beijing Huanyu Tianqiong Information '
'Technology',
'Sichuan Zhixin Ruijie Network Technology'],
'aliases': ['APT41',
'Winnti Group (subgroup)',
'PRC-affiliated actors'],
'name': 'Salt Typhoon',
'origin': 'China'}],
'title': 'Global Cyber Espionage Campaign by Salt Typhoon (Chinese '
'State-Sponsored Hackers)',
'type': ['Cyber Espionage',
'APT (Advanced Persistent Threat)',
'Supply Chain Attack'],
'vulnerability_exploited': ['Known vulnerabilities in backbone routers',
'Provider Edge (PE) routers',
'Customer Edge (CE) routers']}