Cyber Threat Radar – A deeply concerning breach of U.S. military infrastructure has emerged, revealing that an elite Chinese cyberespionage group, dubbed Salt Typhoon, successfully infiltrated a U.S. state’s Army National Guard network for nearly an entire year.
According to a Department of Homeland Security (DHS) memo circulated in June 2025, the attack occurred between March and December 2024. While the specific state targeted has not been named, the level of compromise is now becoming clear. Salt Typhoon, a group already associated with some of the most expansive and strategic intrusions against U.S. government and corporate networks, appears to have gained access to highly sensitive data. This may include internal network architecture, geographic operational maps, and personal information of service members.
Salt Typhoon’s Expanding Reach
Salt Typhoon is not new to U.S. security agencies. The group is linked to major breaches of telecommunication giants like AT&T and Verizon and has allegedly surveilled political campaigns, federal offices, and congressional leadership. However, the National Guard data breach raises the stakes significantly.
Unlike federal military branches, the National Guard functions under dual authority—operating under both state governors and the Department of Defense. Many National Guard units are tightly integrated with local governments and law enforcement networks. This hybrid structure likely created unique vulnerabilities that Salt Typhoon was able to exploit.
The DHS memo warns that the breach “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units and possibly many of their state-level cybersecurity partners.” The hackers reportedly accessed:
- Maps of geographic locations and strategic assets within the targeted state
- Diagrams of internal networks
- Personal and operational data of Guard personnel
The exposure of these materials could have significant implications for national and regional defense readiness, and it suggests that state-level military structures are not adequately hardened against sophisticated, persistent threat actors.
A Pattern of Long-Term Access
Salt Typhoon’s operational hallmark is patience and stealth. The group is known to maintain long-term access within compromised environments, sometimes for years, before detection. This was evident in the recent AT&T case, where the company publicly stated it “appeared” the intrusion was over—without confirming full eradication.
This mirrors a growing trend in state-sponsored attacks, particularly from adversaries with extensive resources and strategic intent. Rather than seeking immediate disruption, attackers like Salt Typhoon focus on long-term intelligence gathering, access mapping, and system manipulation, slowly embedding themselves into networks until detection becomes nearly impossible without active endpoint monitoring and prevention.
The implications for national cybersecurity strategy are serious. Federal agencies have long invested in perimeter and detection-based defenses. But when a threat actor gains access and operates within a network undetected for months—or years—the traditional reactive tools are no longer sufficient.
The National Guard’s Vulnerability
The National Guard’s role in both state and national response makes it a prime target. From disaster relief to civil support and national defense, its personnel and digital infrastructure are critical to domestic resilience. If cyberattackers can move laterally between military systems and local government systems—particularly law enforcement fusion centers as the DHS memo notes—then the risk extends beyond the Guard itself.
The attack not only threatens the security of military operations but also weakens the information-sharing partnerships that underpin interagency response to crises, including terrorism, public health emergencies, and cyberattacks themselves.
Despite statements that the breach has not impacted current National Guard missions, it is clear the consequences may be long-term and strategic in nature. The full scope of data accessed remains unknown, and efforts to determine the damage are ongoing.
Why Endpoint Protection Now Demands More
While attribution and post-mortem analysis are essential, these alone cannot prevent the next breach. As threat actors increasingly rely on tools like keylogging, screen capture, and data exfiltration to silently gather intelligence from within trusted environments, government agencies must evolve their defenses accordingly.
“AI-powered malware no longer just exfiltrates single files or credentials,” said Tim Royston-Webb, CEO, SentryBay. “It quietly surveils, logs keystrokes, captures entire documents and spreadsheets, and builds real-time intelligence profiles. Without enforcing data security at the endpoint itself, even the most hardened perimeter will eventually be breached.”
Solutions like SentryBay’s Armored Client address this critical gap. Rather than waiting for malicious behavior to be detected, Armored Client renders stolen data unusable at the moment of capture. It:
- Randomizes keystrokes, neutralizing keyloggers
- Blacks out screen content, preventing visual data theft
- Operates in real time at the OS level, shielding environments from zero-day and stealth malware
For military, law enforcement, and national security agencies tasked with protecting sensitive data across hybrid and federated networks, proactive endpoint threat prevention is no longer optional—it is mission-critical.
The National Guard data breach is a wake-up call. Defending against espionage now begins at the endpoint.
