The Chinese language state-sponsored hacking group often called Salt Hurricane breached and remained undetected in a U.S. Military Nationwide Guard community for 9 months in 2024, stealing community configuration recordsdata and administrator credentials that could possibly be used to compromise different authorities networks.
Salt Hurricane is a Chinese language state-sponsored hacking group that’s believed to be affiliated with China’s Ministry of State Safety (MSS) intelligence company. The hacking group has gained notoriety over the previous two years for its wave of assaults on telecommunications and broadband suppliers worldwide, together with AT&T, Verizon, Lumen, Constitution, Windstream, and Viasat.
The objective of a few of these assaults was to acquire entry to delicate name logs, personal communications, and law-enforcement wiretap techniques utilized by the U.S. authorities.
Nationwide Guard community breached for 9 months
A June 11 Division of Homeland Safety memo, first reported by NBC, says that Salt Hurricane breached a U.S. state’s Military Nationwide Guard community for 9 months between March and December 2024.
Throughout this time, the hackers stole community diagrams, configuration recordsdata, administrator credentials, and private data of service members that could possibly be used to breach Nationwide Guard and authorities networks in different states.
“Between March and December 2024, Salt Hurricane extensively compromised a US state’s Military Nationwide Guard’s community and, amongst different issues, collected its community configuration and its knowledge visitors with its counterparts’ networks in each different US state and at the least 4 US territories, in line with a DOD report,” reads the memo.
“This knowledge additionally included these networks’ administrator credentials and community diagrams—which could possibly be used to facilitate follow-on Salt Hurricane hacks of those items.”
The memo additional states that Salt Hurricane has beforehand utilized stolen community topologies and configuration recordsdata to compromise crucial infrastructure and U.S. authorities companies.
“Salt Hurricane has beforehand used exfiltrated community configuration recordsdata to allow cyber intrusions elsewhere,” continued the memo.
“Between January and March 2024, Salt Hurricane exfiltrated configuration recordsdata related to different U.S. authorities and significant infrastructure entities, together with at the least two U.S. state authorities companies. No less than one in every of these recordsdata later knowledgeable their compromise of a susceptible system on one other U.S. authorities company’s community.”
Community configuration recordsdata comprise the settings, safety profiles, and credentials configured on networking units, akin to routers, firewalls, and VPN gateways. This data is efficacious to an attacker, as it may be used to establish paths to and credentials for different delicate networks which might be usually not accessible through the Web.
The DHS warns that between 2023 and 2024, Salt Hurricane stole 1,462 community configuration recordsdata related to roughly 70 U.S. authorities and significant infrastructure entities from 12 sectors.
Whereas it was not disclosed how Salt Hurricane breached the Nationwide Guard community, Salt Hurricane is understood for concentrating on previous vulnerabilities in networking units, akin to Cisco routers.
The DHS memo shared the next vulnerabilities that Salt Hurricane leveraged prior to now to breach networks:
- CVE-2018-0171: AÂ crucial flaw in Cisco IOS and IOS XE Sensible Set up that enables distant code execution through specifically crafted TCP packets.
- CVE-2023-20198: AÂ zero-day affecting Cisco IOS XE net UI that allows unauthenticated distant entry to units.
- CVE-2023-20273: AÂ privilege escalation flaw additionally concentrating on IOS XE that enables hackers to execute instructions as root. This flaw has been seen chained with CVE-2023-20198 to take care of persistence.
- CVE-2024-3400: AÂ command injection vulnerability in Palo Alto Networks’ PAN-OS GlobalProtect, which permits unauthenticated attackers to execute instructions on units.
DOH additionally shared the next IP addresses which have been utilized by Salt Hurricane when exploiting the above vulnerabilities:
43.254.132[.]118
146.70.24[.]144
176.111.218[.]190
113.161.16[.]130
23.146.242[.]131
58.247.195[.]208In earlier assaults, the hackers exploited unpatched Cisco routers in telecom environments to realize entry to infrastructure. The attackers used this entry to spy on communications of U.S. political campaigns and lawmakers.
As a part of these assaults, the risk actors deployed customized malware named JumblePath and GhostSpider to surveil telecom networks.
The DHS memo urges Nationwide Guard and authorities cybersecurity groups to make sure these flaws have been patched and to show off pointless companies, phase SMB visitors, implement SMB signing, and implement entry controls.
A Nationwide Guard Bureau spokesperson confirmed the breach to NBC however declined to share specifics, stating that it had not disrupted federal or state missions.
China’s embassy in Washington didn’t deny the assault however acknowledged the U.S. had not offered “conclusive and dependable proof” that Salt Hurricane is linked to the Chinese language authorities.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, influence, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
