{
	"id": "61ed1483-aa37-489f-a3c0-02004791b0f0",
	"created_at": "2026-04-06T00:08:44.541195Z",
	"updated_at": "2026-04-10T13:12:29.203226Z",
	"deleted_at": null,
	"sha1_hash": "b156097259c2b49af5b3147ee93cd596c5656a50",
	"title": "Chinese hackers breached National Guard to steal network configurations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 636476,
	"plain_text": "Chinese hackers breached National Guard to steal network\r\nconfigurations\r\nBy Lawrence Abrams\r\nPublished: 2025-07-17 · Archived: 2026-04-02 10:37:32 UTC\r\nThe Chinese state-sponsored hacking group known as Salt Typhoon breached and remained undetected in a U.S. Army\r\nNational Guard network for nine months in 2024, stealing network configuration files and administrator credentials that\r\ncould be used to compromise other government networks.\r\nSalt Typhoon is a Chinese state-sponsored hacking group that is believed to be affiliated with China's Ministry of State\r\nSecurity (MSS) intelligence agency. The hacking group has gained notoriety over the past two years for its wave of attacks\r\non telecommunications and broadband providers worldwide, including AT\u0026T, Verizon, Lumen, Charter, Windstream, and\r\nViasat.\r\nThe goal of some of these attacks was to gain access to sensitive call logs, private communications, and law-enforcement\r\nwiretap systems used by the U.S. government.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breached-national-guard-to-steal-network-configurations/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breached-national-guard-to-steal-network-configurations/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nNational Guard network breached for nine months\r\nA June 11 Department of Homeland Security memo, first reported by NBC, says that Salt Typhoon breached a U.S. state's\r\nArmy National Guard network for nine months between March and December 2024.\r\nDuring this time, the hackers stole network diagrams, configuration files, administrator credentials, and personal information\r\nof service members that could be used to breach National Guard and government networks in other states.\r\n\"Between March and December 2024, Salt Typhoon extensively compromised a US state's Army National Guard's network\r\nand, among other things, collected its network configuration and its data traffic with its counterparts' networks in every other\r\nUS state and at least four US territories, according to a DOD report,\" reads the memo.\r\n\"This data also included these networks' administrator credentials and network diagrams—which could be used to facilitate\r\nfollow-on Salt Typhoon hacks of these units.\"\r\nThe memo further states that Salt Typhoon has previously utilized stolen network topologies and configuration files to\r\ncompromise critical infrastructure and U.S. government agencies.\r\n\"Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere,\" continued\r\nthe memo.\r\n\"Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other U.S. government and\r\ncritical infrastructure entities, including at least two U.S. state government agencies. At least one of these files later informed\r\ntheir compromise of a vulnerable device on another U.S. government agency's network.\"\r\nNetwork configuration files contain the settings, security profiles, and credentials configured on networking devices, such as\r\nrouters, firewalls, and VPN gateways. This information is valuable to an attacker, as it can be used to identify paths to and\r\ncredentials for other sensitive networks that are typically not accessible via the Internet.\r\nThe DHS warns that between 2023 and 2024, Salt Typhoon stole 1,462 network configuration files associated with\r\napproximately 70 U.S. government and critical infrastructure entities from 12 sectors.\r\nWhile it was not disclosed how Salt Typhoon breached the National Guard network, Salt Typhoon is known for targeting old\r\nvulnerabilities in networking devices, such as Cisco routers.\r\nThe DHS memo shared the following vulnerabilities that Salt Typhoon leveraged in the past to breach networks:\r\nCVE-2018-0171: A critical flaw in Cisco IOS and IOS XE Smart Install that allows remote code execution via\r\nspecially crafted TCP packets.\r\nCVE-2023-20198: A zero-day affecting Cisco IOS XE web UI that permits unauthenticated remote access to\r\ndevices.\r\nCVE-2023-20273: A privilege escalation flaw also targeting IOS XE that allows hackers to execute commands as\r\nroot. This flaw has been seen chained with CVE-2023-20198 to maintain persistence.\r\nCVE-2024-3400: A command injection vulnerability in Palo Alto Networks' PAN-OS GlobalProtect, which allows\r\nunauthenticated attackers to execute commands on devices.\r\nDOH also shared the following IP addresses that have been used by Salt Typhoon when exploiting the above vulnerabilities:\r\n43.254.132[.]118\r\n146.70.24[.]144\r\n176.111.218[.]190\r\n113.161.16[.]130\r\n23.146.242[.]131\r\n58.247.195[.]208\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breached-national-guard-to-steal-network-configurations/\r\nPage 3 of 4\n\nIn previous attacks, the hackers exploited unpatched Cisco routers in telecom environments to gain access to infrastructure.\r\nThe attackers used this access to spy on communications of U.S. political campaigns and lawmakers.\r\nAs part of these attacks, the threat actors deployed custom malware named JumblePath and GhostSpider to surveil telecom\r\nnetworks.\r\nThe DHS memo urges National Guard and government cybersecurity teams to ensure these flaws have been patched and to\r\nturn off unnecessary services, segment SMB traffic, implement SMB signing, and enforce access controls.\r\nA National Guard Bureau spokesperson confirmed the breach to NBC but declined to share specifics, stating that it had not\r\ndisrupted federal or state missions.\r\nChina's embassy in Washington did not deny the attack but stated the U.S. had not provided \"conclusive and reliable\r\nevidence\" that Salt Typhoon is linked to the Chinese government.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-national-guard-to-steal-network-configurations/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breached-national-guard-to-steal-network-configurations/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-national-guard-to-steal-network-configurations/"
	],
	"report_names": [
		"chinese-hackers-breached-national-guard-to-steal-network-configurations"
	],
	"threat_actors": [
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434124,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b156097259c2b49af5b3147ee93cd596c5656a50.pdf",
		"text": "https://archive.orkl.eu/b156097259c2b49af5b3147ee93cd596c5656a50.txt",
		"img": "https://archive.orkl.eu/b156097259c2b49af5b3147ee93cd596c5656a50.jpg"
	}
}