Full Report
The Chinese state-sponsored hacking group known as Salt Typhoon breached and remained undetected in a U.S. Army National Guard network for nine months in 2024, stealing network configuration files and administrator credentials that could be used to compromise other government networks. [...]
Analysis Summary
# Threat Actor: Salt Typhoon (Implied Attribution)
## Attribution & Identity
**Attribution:** Implied to be Chinese state-sponsored hackers/threat actors.
**Aliases/Associated Groups:** The article references previous attacks by these hackers using the malware names JumblePath and GhostSpider, which have previously been associated with the group **Salt Typhoon**. China's embassy did not deny the attack but requested conclusive evidence linking the activity to the Chinese government.
## Activity Summary
The threat actors successfully breached the U.S. National Guard networks to steal network configurations. Historically, these actors have exploited unpatched Cisco routers in telecom environments to gain access and spy on communications involving U.S. political campaigns and lawmakers.
## Tactics, Techniques & Procedures
- Exploitation of unpatched vulnerabilities (specific vulnerabilities are not detailed, but past activity involved Cisco router exploits).
- Spying/Surveillance on targeted networks.
- Network reconnaissance (evidenced by stealing network configurations).
- **Malware Deployment:** Deployed custom malware, including **JumblePath** and **GhostSpider**, to surveil telecom networks in past campaigns.
- *No specific MITRE ATT&CK IDs were provided in the text.*
## Targeting
- **Sectors:** U.S. National Guard (Defense/Government), U.S. Telecom Networks (in past operations), U.S. political campaigns, and lawmakers (in past operations).
- **Geography:** United States.
- **Victims:** National Guard Bureau (Confirmed Breach).
## Tools & Infrastructure
- **Malware Families Used:** JumblePath, GhostSpider (Custom malware deployed in previous operations).
- **Infrastructure (C2, domains, IPs - defanged):**
- 43.254.132[.]118
- 146.70.24[.]144
- 176.111.218[.]190
- 113.161.16[.]130
- 23.146.242[.]131
- 58.247.195[.]208
## Implications
This incident suggests continued targeting of sensitive U.S. military and government infrastructure by sophisticated actors, likely for intelligence gathering (espionage). The success in breaching the National Guard to obtain network configurations highlights a persistent focus on understanding and mapping operational networks.
## Mitigations
- Ensure identified critical flaws (likely Cisco or related infrastructure vulnerabilities) are patched immediately.
- Turn off unnecessary network services.
- Segment SMB (Server Message Block) traffic.
- Implement SMB signing.
- Enforce strict access controls.
- Cybersecurity teams should monitor for indicators associated with past malware such as JumblePath and GhostSpider.