National Guard Under Siege: A Comprehensive Analysis of Cybersecurity Breaches and Insider Threats

Breached Company

Breached Company

12 min read
National Guard Under Siege: A Comprehensive Analysis of Cybersecurity Breaches and Insider Threats
Photo by Levi Meir Clancy / Unsplash

Executive Summary

The United States National Guard, a critical component of the nation's defense infrastructure, has faced an alarming series of cybersecurity breaches and insider threats that expose significant vulnerabilities in military data protection. The most recent and concerning incident involves the Chinese state-sponsored hacking group Salt Typhoon, which maintained undetected access to National Guard networks for nine months throughout 2024. This breach, combined with historical incidents involving both external attacks and internal threats, reveals a troubling pattern of security vulnerabilities that threaten national security and service member safety.

The Dragon’s Digital Army: How China’s Massive Cyber Operations Dwarf America’s Elite Units
The Rise of China’s Cyber Colossus China’s approach to cyber warfare represents one of the most sophisticated and expansive digital operations in modern history. At the heart of this ecosystem lies the legendary Honker Union, a nationalist hacking collective that has evolved from grassroots hacktivism to a cornerstone of China’s
Breached CompanyBreached Company

The Salt Typhoon Breach: A Nine-Month Infiltration

The Attack Timeline

The Department of Homeland Security says Salt Typhoon accessed National Guard systems between March and December 2024, representing one of the longest undetected penetrations of U.S. military networks by a foreign adversary. The Chinese state-sponsored hacking group known as Salt Typhoon breached and remained undetected in a U.S. Army National Guard network for nine months in 2024, stealing network configuration files and administrator credentials that could be used to compromise other government networks.

Scope of the Compromise

The breach's impact extends far beyond a single state's National Guard unit. During this time, the group stole sensitive data from its victims, including administrator credentials, network traffic diagrams, geographical maps, and personally identifiable information (PII) of service members. Furthermore, the attackers accessed data traffic between the state's network and every other US state, and at least four additional territories.

This level of access provided Salt Typhoon with unprecedented visibility into the interconnected nature of National Guard communications nationwide. The stolen network configurations and administrator credentials created a potential pathway for the attackers to pivot to other government and military networks across the country.

APT28 Deploys First AI-Powered Malware: LameHug Uses LLM to Autonomously Guide Cyber Operations
Executive Summary In a groundbreaking development that signals a new era in cyber warfare, Ukraine’s Computer Emergency Response Team (CERT-UA) has identified the first publicly documented malware that leverages artificial intelligence to autonomously guide cyberattacks. The malware, dubbed “LameHug,” has been attributed to Russia’s APT28 group and represents a significant
Breached CompanyBreached Company

The Broader Salt Typhoon Campaign

Salt Typhoon's attack on the National Guard represents just one component of a massive, coordinated campaign against U.S. infrastructure. Salt Typhoon is often in the media - with recent attacks against the likes of AT&T, Verizon, Lumen, Charter, Windstream, and Viasat, to name a few, often abusing unpatched Cisco routers to gain access, before deploying custom malware such as JumblePath and GhostSpider.

The strategic nature of these attacks suggests a coordinated effort to position Chinese intelligence services within critical U.S. infrastructure. The goal of the campaign was to be present inside the networks should tensions between the US and China over Taiwan escalate into a full-blown war, giving it the ability to disrupt networks, and steal key intelligence.

Technical Analysis of the Breach

"An elite APT like Salt Typhoon maintaining undetected access to a US National Guard network for nearly a year is a major operational success on their part and a concerning lapse in defensive visibility," says Ensar Seker, SOCRadar's chief information security officer (CISO).

The attackers' methodology demonstrates sophisticated tradecraft typical of advanced persistent threats (APTs). It was not discussed how the breach happened, but DHS did say the group was known for exploiting existing vulnerabilities (CVEs) in Cisco's routers and similar hardware.

This modus operandi aligns with Salt Typhoon's established pattern of targeting network infrastructure devices, particularly those with known vulnerabilities that remain unpatched. The group's ability to remain undetected for nine months suggests they employed careful operational security measures, likely including the use of legitimate administrative tools and living-off-the-land techniques to blend in with normal network traffic.

Salt Typhoon: Chinese Hackers Expand Beyond Telecom to Target Critical US Data Infrastructure
How Chinese state-sponsored hackers penetrated America’s telecommunications backbone and expanded into data centers, exposing the vulnerabilities in our most critical digital infrastructure China’s Cyber Campaigns: A Deep Dive into Salt & Volt Typhoon and Other Threat ActorsIn recent years, cyber espionage has become a significant concern, with nation-state actors employing
Breached CompanyBreached Company

Historical Context: The Jack Teixeira Case

The Discord Leaks Incident

The National Guard's vulnerability to insider threats was dramatically highlighted in 2023 with the case of Air National Guard member Jack Teixeira. In the months following the arrest of Airman 1st Class Jack Teixeira, a member of the Massachusetts Air National Guard, for leaking national security secrets to his friends on Discord, the Defense Department has released new policies and procedures for how it handles classified information.

The U.S. government charged the Air National Guardsman accused of leaking classified information with two counts under the Espionage Act. This case represented one of the most significant intelligence leaks in recent years, exposing sensitive information about U.S. military operations and intelligence assessments.

Impact on National Security

The Teixeira case revealed fundamental weaknesses in how the military handles classified information access and monitoring. U.S. and European officials scrambled to understand how dozens of classified documents covering all manner of intelligence gathering had made their way online with little notice.

The leak had far-reaching implications for U.S. relationships with allies and adversaries alike, as the disclosed documents contained sensitive intelligence assessments about ongoing conflicts and diplomatic activities.

China’s Cyber Campaigns: A Deep Dive into Salt & Volt Typhoon and Other Threat Actors
In recent years, cyber espionage has become a significant concern, with nation-state actors employing sophisticated techniques to target critical infrastructure and sensitive data. Among these, groups affiliated with the People’s Republic of China (PRC) have been particularly active, utilizing methods like “living off the land” (LOTL) to compromise networks and
Breached CompanyBreached Company

The 2015 Data Exposure Incident

Contractor Negligence

Not all security incidents involving the National Guard have been malicious. National Guard Bureau spokesman Maj. Earl Brown said a contract employee inadvertently transferred files containing personal information to a non-Department of Defense-accredited data center.

The data includes names, social security numbers and home addresses and the breach could affect current and former members dating back to 2004. This incident demonstrates how human error and inadequate oversight of contractor activities can create significant security vulnerabilities.

Scale and Response

The 2015 incident affected over a decade's worth of National Guard personnel records. "This was not a hacking incident, in which the intent was to use data for financial gain," Brown said. However, the exposure of such sensitive personal information created long-term risks for affected service members, including potential identity theft and targeted social engineering attacks.

The Growing Insider Threat: How U.S. Military and Intelligence Personnel Are Being Recruited as Spies
The numbers are staggering: the FBI opens a new China-related counterintelligence case every 10 hours, and 2025 has already seen more military espionage arrests than many entire years in recent history. What’s driving this surge in insider threats, and why are our own personnel betraying national security for surprisingly modest
Breached CompanyBreached Company

Current Military Cybersecurity Challenges

Recent Soldier Hacking Case

The military's cybersecurity challenges extend beyond the National Guard. Wagenius was stationed at Fort Cavazo and at a U.S. Army base in South Korea throughout the scheme between April 2023 and Dec. 18, 2024, when he used online accounts linked to different nicknames, court documents say.

This case involves a 21-year-old soldier who allegedly hacked databases and threatened to leak stolen data, demonstrating that insider threats remain a persistent challenge across all military branches.

Insider Threat Definition and Scope

The Department of Homeland Security provides a comprehensive definition of insider threats: An insider threat is defined as the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States.

The Cybersecurity and Infrastructure Security Agency (CISA) further elaborates: Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts. An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems.

Insider Threats in the U.S. Government: The Arrest of a Pentagon Employee and Broader Implications
Introduction The recent arrest of Pentagon employee Gokhan Gun has highlighted the persistent and evolving threat posed by insider threats within the U.S. government and military. Gun, a U.S. citizen born in Turkey, was charged with possessing and transmitting classified national defense information. The case underscores the critical
Breached CompanyBreached Company

Economic Impact

The financial consequences of insider threats have grown dramatically. The total average cost of insider threat incidents rose from $8.3 million in 2018 to $16.2 million in 2023 according to the 2023 Cost of Insider Threats Global Report by Ponemon Institute.

For military organizations, these costs extend beyond financial losses to include potential compromise of national security assets and operational capabilities.

Systemic Vulnerabilities and Challenges

Network Interconnectedness

The Salt Typhoon breach highlights a fundamental challenge in military cybersecurity: the interconnected nature of National Guard networks. The attackers' ability to access "data traffic between the state's network and every other US state, and at least four additional territories" demonstrates how a single point of compromise can have nationwide implications.

This interconnectedness, while operationally necessary for coordination and information sharing, creates a single point of failure that sophisticated adversaries can exploit for maximum impact.

Spanish Cyberterrorism: 19-Year-Old Student Arrested for Massive Political Data Leak Targeting Prime Minister Pedro Sánchez
How a computer science student from Gran Canaria orchestrated one of Spain’s most significant political data breaches from his parents’ home, exposing thousands of high-profile figures in what authorities are calling an act of cyberterrorism Breaking News: Unprecedented Political Data Leak Rocks Spain In a dramatic turn of events that
Breached CompanyBreached Company

Contractor and Third-Party Risks

The 2015 data exposure incident underscores the risks associated with contractor access to sensitive military information. As military organizations increasingly rely on civilian contractors for IT services and support, the attack surface expands to include individuals who may not have the same level of security training or oversight as military personnel.

Detection and Response Capabilities

The nine-month duration of the Salt Typhoon breach raises serious questions about the military's ability to detect and respond to sophisticated cyber intrusions. Modern APT groups employ increasingly sophisticated techniques to evade detection, but the extended timeframe suggests significant gaps in network monitoring and anomaly detection capabilities.

Broader Implications for National Security

Strategic Positioning by Adversaries

The Salt Typhoon campaign represents a strategic shift in how nation-state actors approach cyberspace. Rather than conducting hit-and-run operations for immediate intelligence gain, groups like Salt Typhoon are positioning themselves within critical infrastructure for potential future operations.

This approach, sometimes called "living off the land" or "persistent engagement," allows adversaries to maintain access while learning about target networks and positioning themselves for maximum impact during potential conflicts.

Russia Just Recruited a 17-Year-Old Canadian Kid as a Spy: The Cybersecurity Wake-Up Call We Can’t Ignore
Bottom Line Up Front: Russia successfully recruited a Canadian teenager to spy in Europe using cryptocurrency payments and psychological manipulation. This isn’t an isolated incident—it’s part of a systematic shift in intelligence operations that every cybersecurity leader needs to understand. If a foreign adversary can recruit a 17-year-old from
Breached CompanyBreached Company

The Taiwan Factor

The specific mention of Taiwan in the Salt Typhoon campaign objectives is particularly concerning. As tensions between the U.S. and China over Taiwan continue to escalate, having pre-positioned access to U.S. military networks could provide China with significant advantages in the event of conflict.

The ability to disrupt military communications, steal operational plans, or conduct sabotage operations from within compromised networks could potentially alter the outcome of military operations.

Security Team Risk Assessment Tool | CISO’s Rapid Assessment Platform
Evaluate your security team’s readiness against sophisticated threats. Identify critical gaps in team composition and capabilities.
Security Team Risk Assessment Tool

Recommendations and Mitigation Strategies

Enhanced Network Monitoring

The extended duration of the Salt Typhoon breach highlights the need for more sophisticated network monitoring capabilities. Military organizations should implement:

  • Advanced behavioral analytics to detect unusual network activity
  • Zero-trust architecture that assumes no implicit trust based on network location
  • Continuous monitoring of privileged account activities
  • Real-time threat hunting capabilities

Insider Threat Programs

The Jack Teixeira case demonstrates the need for comprehensive insider threat programs that include:

  • Regular background checks and security clearance reviews
  • Monitoring of social media and online activities for security clearance holders
  • Psychological evaluation and support programs
  • Clear policies on information sharing and social media use
Insider Threat Risk Profiler | Modern Security Assessment Tool
Quantify and address your organization’s insider threat risks from remote work, deepfakes, and identity theft. Get actionable recommendations to strengthen your security posture.
Modern Security Assessment ToolSecurity Careers

Contractor Security

The 2015 data exposure incident shows the importance of:

  • Rigorous vetting of contractors with access to sensitive information
  • Clear data handling procedures and training
  • Regular audits of contractor security practices
  • Limitations on contractor access to sensitive systems

Incident Response and Recovery

Organizations should develop comprehensive incident response plans that include:

  • Rapid containment procedures for detected breaches
  • Clear communication protocols for notifying affected personnel
  • Coordination with law enforcement and intelligence agencies
  • Long-term monitoring for signs of data misuse
Proposal for a New Military Branch Specializing in Cyber Warfare
In an era where cyber threats are becoming increasingly sophisticated and frequent, some members of Congress are advocating for the creation of a new military branch dedicated exclusively to cyber warfare. This initiative, which underscores the growing recognition of cyberspace as a critical domain of conflict, aims to bolster the
Breached CompanyBreached Company

Conclusion

The pattern of cybersecurity breaches and insider threats targeting the National Guard reveals a complex and evolving threat landscape that challenges traditional approaches to military security. The Salt Typhoon breach, in particular, demonstrates how sophisticated adversaries can exploit network vulnerabilities to gain persistent access to critical military infrastructure.

The combination of external cyber attacks, insider threats, and contractor-related incidents creates a multi-faceted security challenge that requires comprehensive, layered defenses. The interconnected nature of modern military networks, while operationally necessary, creates systemic vulnerabilities that adversaries are increasingly sophisticated in exploiting.

As geopolitical tensions continue to escalate, particularly with regard to Taiwan and broader U.S.-China relations, the strategic importance of securing military networks becomes even more critical. The National Guard, as both a federal reserve component and a state-level organization, occupies a unique position in the defense ecosystem that makes it an attractive target for both nation-state actors and other threat actors.

Israel Under Cyber Siege: Analyzing the $3 Billion Cyber-Attacks on Military Systems
Since October 7, Israel has faced an unprecedented surge of cyber-attacks, targeting its military systems with staggering intensity. According to reports, the nation has been subjected to over 3 billion cyber-attacks, with adversaries exploiting the ongoing conflict to breach Israel’s cyber defenses. This wave of cyber warfare highlights the
Breached CompanyBreached Company

Moving forward, military organizations must invest in advanced cybersecurity capabilities, comprehensive insider threat programs, and robust incident response capabilities. The cost of these investments, while significant, pales in comparison to the potential consequences of allowing adversaries to maintain persistent access to critical military networks.

The lessons learned from these incidents should inform broader discussions about military cybersecurity and the need for sustained investment in defensive capabilities. As the threat landscape continues to evolve, so too must the military's approach to protecting its most sensitive information and critical infrastructure.

The National Guard's experiences with cybersecurity breaches serve as a microcosm of broader challenges facing the entire U.S. military in the digital age. By understanding these threats and implementing comprehensive countermeasures, military organizations can better protect themselves and the nation they serve from the growing array of cyber threats in the 21st century.

Read more