Chinese Hacking Group "Salt Typhoon" Attacks Defense Networks Across All 50 U.S. States

Washington D.C. 2025.7.20

By Alfred Kim

Escalation of Chinese Cyber Intrusion: Salt Typhoon's Breach into U.S. Defense Networks

In October 2024, the U.S. Department of Defense officially confirmed a cyber infiltration by a Chinese hacking group. A state-level National Guard network had been compromised for nearly a year. According to a memo from the Department of Homeland Security (DHS), the group known as Salt Typhoon had deeply infiltrated one state's National Guard network from March to December 2024. The memo, obtained through a public records request by the nonprofit group People’s Property, revealed that the hackers collected information on network configurations and traffic data from networks in all 50 states and U.S. territories.

The memo warned that this data could be used to facilitate future cyberattacks on National Guard units. Some of the stolen data includes personally identifiable information and location data of state cybersecurity personnel. In a response to Scripps News, DHS stated it continues to analyze the breach and is working closely with the National Guard and other partners to mitigate future threats. The Salt Typhoon attack remains ongoing. In October 2024, it was also revealed that 12 U.S. telecommunications companies had been hacked, and some customer call data had been accessed.

Rob Joyce, former Director of Cybersecurity at the NSA, characterized Salt Typhoon's tactics as "digital explosives pre-positioned in critical infrastructure" such as power grids, pipelines, transportation systems, and water facilities. He emphasized that such an activity, if done in the physical world, would prompt months, if not years, of discussion. He stated that potential U.S. responses could include sanctions, tariffs, legal action, and even diplomatic expulsions. The U.S. government, through the FBI, has placed a $10 million reward for information leading to the arrest of Salt Typhoon operatives.

Two months after the Pentagon's announcement, a U.S. Senate hearing chaired by Senator Ted Cruz was held in December. Experts sharply criticized the lack of American deterrence. Dr. James Mulvenon testified that the U.S. had lost an entirely strategic balance with China, emphasizing that telecommunications companies were not just incidental victims. The hearing exposed China’s broader cyber strategy beyond just Salt Typhoon.

Salt Typhoon is reportedly operated directly by China’s Ministry of State Security (MSS). The group has been actively targeting the U.S. since 2023 and has successfully infiltrated at least nine major telecom companies, including Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. Experts testified that the operations began in 2022, targeting core infrastructure, including routers and switches, to maintain persistent access. While initially focused on espionage, a 2025 Malaysian report warned that the group had evolved into military readiness operations, even mapping U.S. emergency response protocols.

Dr. Mulvenon stressed that deterrence had failed because China does not yet perceive the U.S. pain threshold. He argued that imposing costs would be more effective than reinforcing defenses. He pointed to stricter federal acquisition regulations as a tool, enhancing NIST standards could significantly raise security levels. These rules are already in effect for Defense Department contractors and could be extended to civilian agencies. The 2025 defense budget includes discussions on these reinforcements.

Dr. James Lewis proposed more direct countermeasures, suggesting that the U.S. initiate regular cyber dialogues with China, akin to nuclear negotiations—issuing warnings followed by action. He emphasized the need for Cyber Command and the NSA to prepare a response playbook in advance. He warned that China views the U.S. as a declining power. His two-track strategy—dialogue and retaliation—has gained traction in recent NSA reports, which noted that, unlike Volt Typhoon, Salt Typhoon has managed long-term access to critical infrastructure.

Dr. Mulvenon also criticized the FCC’s latest measures as inadequate. While telecom companies are required to certify cybersecurity risk plans, he said more focus should be placed on CALEA compliance. He cited past FCC mandates during the expansion of broadband and VoIP, where companies were required to submit vulnerability correction plans within 90 days. Although similar requirements were announced in late 2024, implementation has remained slow. Experts have warned that symbolic efforts, such as “blue-ribbon committees,” may be even more harmful by creating a false sense of action.

The panel warned the American public about the threat of Salt Typhoon. National networks continue to be targeted, and essential services are at risk. Consumers were advised to use encrypted services, such as RCS. Dr. Lewis bluntly stated that “America is currently losing.” He argued that telecom and electricity services are now effectively held hostage by a hostile foreign power.

Further investigations revealed continued Salt Typhoon activity in 2025, exploiting Cisco router vulnerabilities to hack two more telecom companies. Despite sanctions, the group has not slowed its operations. University networks were also targeted, from the University of Utah to research on Vietnam. In February 2025, a Canadian telecom was also breached. NBC News reported that Salt Typhoon extracted traffic maps and intelligence-sharing systems from National Guard networks, suggesting potential access to all 50 states.

In response, the U.S. Treasury imposed sanctions on Chinese companies and individuals linked to Salt Typhoon. The FBI maintained its $10 million bounty. The CISA, NSA, and FBI jointly released guidelines for protecting telecom infrastructure, with aspecial emphasis on securing Cisco equipment. However, a July 2025 DHS memo stated that these efforts were still insufficient. Salt Typhoon had maintained access to Guard networks for over nine months and targeted local data centers and ISPs. The FBI labeled the attack one of the most serious national security threats.