2025.06.11 DHS Salt Typhoon
p. 1
Share
*** FOR OFFICIAL USE ONLY *** LAW ENFORCEMENT USE ONLY ***
CYBER THREATS
CYBERSECURITY
(U//FOUO) Salt Typhoon: Data Theft Likely Signals Expanded Targeting
(U//FOUO) A recent compromise of a US state’s Army National Guard network by People’s Republic of China (PRC)-
associated cyber actors—publicly tracked as Salt Typhoon—likely provided Beijing with data that could facilitate the
hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners. If the
PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity
partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.
Details on the tactics used by Salt Typhoon are available in Appendix A, and guidance to help National Guard and state
governments detect, prevent, and mitigate this threat is in Appendix B.
• (U//FOUO/REL TO USA, FVEY) Between March and December 2024, Salt Typhoon extensively compromised a US
state’s Army National Guard’s network and, among other things, collected its network configuration and its data traffic
with its counterparts’ networks in every other US state and at least four US territories, according to a DOD report. This
data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate
follow-on Salt Typhoon hacks of these units.
• (U//FOUO/NF) Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions
elsewhere. Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other US
government and critical infrastructure entities, including at least two US state government agencies. At least one of these
files later informed their compromise of a vulnerable device on another US government agency’s network.
(U//FOUO) Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine
local cybersecurity efforts to protect critical infrastructure. In some 14 states, Army National Guard units are integrated
with state fusion centers responsible for sharing threat information—including cyber threats. In at least one state, the local
Army National Guard unit directly provides network defense services.
• (U//FOUO) Salt Typhoon access to Army National Guard networks in these states could include information on state
cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity
personnel—data that could be used to inform future cyber-targeting efforts.
• (U//FOUO/REL TO USA, FVEY) In 2024, Salt Typhoon used its access to a US state’s Army National Guard network
to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and
PII of its service members, according to DOD reporting.
110 F F I C E lf J 1\1T E L L J G E N C E and A N A L Y S J S
INTRLUGENCE I Focus
11 JUNE 2025 DHS-IA~lF-2025--08873
CYBER THREATS
CYBERSECURITY
(U//FOUO) Salt Typhoon: Data Theft Likely Signals Expanded Targeting
(U//FOUO) A recent compromise of a US state’s Army National Guard network by People’s Republic of China (PRC)-
associated cyber actors—publicly tracked as Salt Typhoon—likely provided Beijing with data that could facilitate the
hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners. If the
PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity
partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.
Details on the tactics used by Salt Typhoon are available in Appendix A, and guidance to help National Guard and state
governments detect, prevent, and mitigate this threat is in Appendix B.
• (U//FOUO/REL TO USA, FVEY) Between March and December 2024, Salt Typhoon extensively compromised a US
state’s Army National Guard’s network and, among other things, collected its network configuration and its data traffic
with its counterparts’ networks in every other US state and at least four US territories, according to a DOD report. This
data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate
follow-on Salt Typhoon hacks of these units.
• (U//FOUO/NF) Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions
elsewhere. Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other US
government and critical infrastructure entities, including at least two US state government agencies. At least one of these
files later informed their compromise of a vulnerable device on another US government agency’s network.
(U//FOUO) Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine
local cybersecurity efforts to protect critical infrastructure. In some 14 states, Army National Guard units are integrated
with state fusion centers responsible for sharing threat information—including cyber threats. In at least one state, the local
Army National Guard unit directly provides network defense services.
• (U//FOUO) Salt Typhoon access to Army National Guard networks in these states could include information on state
cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity
personnel—data that could be used to inform future cyber-targeting efforts.
• (U//FOUO/REL TO USA, FVEY) In 2024, Salt Typhoon used its access to a US state’s Army National Guard network
to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and
PII of its service members, according to DOD reporting.
110 F F I C E lf J 1\1T E L L J G E N C E and A N A L Y S J S
INTRLUGENCE I Focus
11 JUNE 2025 DHS-IA~lF-2025--08873
p. 2
Share
*** FOR OFFICIAL USE ONLY *** LAW ENFORCEMENT USE ONLY ***
(U//FOUO) Appendix A: Salt Typhoon Tactics
(U//FOUO/NF) Since 2023, Salt Typhoon has exploited a number of different common vulnerabilities and exposures
(CVEs) using a range of leased internet protocol (IP) addresses to mask its activity, including those below. Details on
these CVEs and detailed instructions on mitigating these risks are available at the NIST National Vulnerability Database.
More guidance can be found in the December 2024 joint advisory on CISA.gov titled: Enhanced Visibility and Hardening
Guidance for Communications Infrastructure.
(U) Appendix B: Detection and Mitigation Techniques
(U//FOUO/REL TO USA, FVEY) Network defenders should follow best practices to harden their network devices against
cyber exploitation and to maintain proper auditing and logging of network activity. They should also implement the
following DOD security best practices:
(U) Server Message Block Best Practices
• (U) If not required for external access, ensure that server message block (SMB) traffic is not exposed to the internet. If
external access is required, configure firewalls to allow SMB traffic from trusted networks or specified IP addresses.
• (U) Place SMB services in separate, secured network segments.
• (U) Use SMBv3, which allows data to be encrypted in transit. (SMBv3 does not encrypt traffic by default. Encryption
needs to be configured on the server.)
• (U) Disable SMB on systems where it is not needed.
(l1//FOUO) National Guard Hack Part of Broader Salt Typhoon Campaigrl
(l1//FOUO/NF) In 2023 and 2024, Salt Typhoon also stole 1,462 _netwod; configuration
files associated with approximately 70 US govenunent and critical inhashudtue
entities from 12 sectors, including Energy, Conun1.mications, Transportation, and
vVater and i-Vastewater. These configuration files could enable further computer
neh<vork exploitation of other neti.vorks, including da~a capture, administrator
account m,uupulation, and lateral nwvement beh<veen -neh<vorks, according to CISA
reporting and NSA guidance.
• (U) A configuration file defines the parameters, options, settings, and
preferences applied to operating systems, devices, and applications in a
neh<vork. Router configtuation files store the settings and inshuctions a
router uses to operate, such as neh<vork addresses, routing protocols, and
sectuity configurations.
• (l1//FOUO/REL TO USA, FVEY) Access to configtuation files can provide a threat
actor with sensitive information like credentials, neh<vork topology details,
and security settings they need to gain and maintain access, as well as to
exfiltrate data.
UNCLASSIPIED//FOR OFFICIAL USE ONLY
Exploited CVE Malicious IP Addresses
CVE-2018-0171 43[. ]254[.]13?[.]118
CVE-?0?3-?0l 98 146[.]70[.]24[. ]144
CVE-20?3-?0773 176[.]111[.]218[.]190
113[.]161 [.]16[. ]130
CVE-?024-3400 23[. ]146[. ]242[. ]13
158[.]247[.]195[.]208
(U//FOUO) Appendix A: Salt Typhoon Tactics
(U//FOUO/NF) Since 2023, Salt Typhoon has exploited a number of different common vulnerabilities and exposures
(CVEs) using a range of leased internet protocol (IP) addresses to mask its activity, including those below. Details on
these CVEs and detailed instructions on mitigating these risks are available at the NIST National Vulnerability Database.
More guidance can be found in the December 2024 joint advisory on CISA.gov titled: Enhanced Visibility and Hardening
Guidance for Communications Infrastructure.
(U) Appendix B: Detection and Mitigation Techniques
(U//FOUO/REL TO USA, FVEY) Network defenders should follow best practices to harden their network devices against
cyber exploitation and to maintain proper auditing and logging of network activity. They should also implement the
following DOD security best practices:
(U) Server Message Block Best Practices
• (U) If not required for external access, ensure that server message block (SMB) traffic is not exposed to the internet. If
external access is required, configure firewalls to allow SMB traffic from trusted networks or specified IP addresses.
• (U) Place SMB services in separate, secured network segments.
• (U) Use SMBv3, which allows data to be encrypted in transit. (SMBv3 does not encrypt traffic by default. Encryption
needs to be configured on the server.)
• (U) Disable SMB on systems where it is not needed.
(l1//FOUO) National Guard Hack Part of Broader Salt Typhoon Campaigrl
(l1//FOUO/NF) In 2023 and 2024, Salt Typhoon also stole 1,462 _netwod; configuration
files associated with approximately 70 US govenunent and critical inhashudtue
entities from 12 sectors, including Energy, Conun1.mications, Transportation, and
vVater and i-Vastewater. These configuration files could enable further computer
neh<vork exploitation of other neti.vorks, including da~a capture, administrator
account m,uupulation, and lateral nwvement beh<veen -neh<vorks, according to CISA
reporting and NSA guidance.
• (U) A configuration file defines the parameters, options, settings, and
preferences applied to operating systems, devices, and applications in a
neh<vork. Router configtuation files store the settings and inshuctions a
router uses to operate, such as neh<vork addresses, routing protocols, and
sectuity configurations.
• (l1//FOUO/REL TO USA, FVEY) Access to configtuation files can provide a threat
actor with sensitive information like credentials, neh<vork topology details,
and security settings they need to gain and maintain access, as well as to
exfiltrate data.
UNCLASSIPIED//FOR OFFICIAL USE ONLY
Exploited CVE Malicious IP Addresses
CVE-2018-0171 43[. ]254[.]13?[.]118
CVE-?0?3-?0l 98 146[.]70[.]24[. ]144
CVE-20?3-?0773 176[.]111[.]218[.]190
113[.]161 [.]16[. ]130
CVE-?024-3400 23[. ]146[. ]242[. ]13
158[.]247[.]195[.]208
p. 3
Share
*** FOR OFFICIAL USE ONLY *** LAW ENFORCEMENT USE ONLY ***
• (U) Enable SMB signing. In SMB signing, digital signatures are used to sign SMB packets. This ensures that the
packets have not been tampered with during transmission and verifies the identity of the sender.
(U) Credential Harvesting and File Exfiltration Prevention
• (U) Implement robust password complexity and rotation policies.
• (U) Use strong encryption algorithms or services to encrypt data-at-rest.
• (U) Implement Role-Based Access Control to ensure only authorized users and systems have access to sensitive data.
• (U) Apply the principle of least privilege, granting users only the access necessary for their daily duties.
US Critical Infrastructure Could Become Casualty of Iran-Israel Conflict Cybersecurity
Security researchers are warning that the outbreak of
direct hostilities between Israel and Iran may soon lead to
malicious cyberattacks against critical infrastructure sites
in the U.S. from state-linked actors, hacktivist groups and
cyber criminals. State-backed and hacktivist cyber threats
against Israel and the U.S.’s Middle Eastern allies are
escalating, according to researchers at Radware. Experts
have seen a spike in pro-Iran threat activity on Telegram
and other public channels. Threat actors have warned
Saudi Arabia and Jordan to expect attacks on their critical
infrastructure if they help Israel in its conflict with Iran,
and activist groups have claimed to have disrupted Israeli
radio stations. Source; Cyber Security Dive, 6/16/2025
*Analyst Comment* According to threat researchers at Radware, a surge in pro-Iranian cyber threat actor activity was
observed immediately following the 13 June 2025 Israeli attack on Iran. Radware claims that spikes in activity were seen
in several Telegram chats with pro-Iranian cyber threat groups, and that in some cases the groups issued “warnings” to
other Middle Eastern countries, telling them that if they supported Israel their critical infrastructure operations would be
targeted. Other cyber threat actor groups targeted Israel directly, with one group targeting Israeli media websites and
another targeting Israeli government websites. The effectiveness of their attacks remains unclear. As the U.S. is being
seen as supportive of the Israeli efforts, and the U.S. has directly intervened in the conflict, it is likely that pro-Iranian
threat actors will also attempt to conduct offensive cyber operations against U.S. industries to disrupt operations.
Researchers have also suggested that as Iran’s military capabilities become diminished due to the toll of the continuing
conflict, Iran may increasingly rely on cyber operations to retaliate against Israel and “reassert power and deter further
challenges.” These cyber actions will likely be carried out by state-sponsored hacking groups and “hacktivist” groups that
are closely aligned with Iran. Source; Transit and Rail Intelligence Awareness Daily Report (TRIAD)
PUBLIC SAFETY
Experts issue urgent warning as highly toxic plant spreads rapidly through almost every
US state here's what you need to know
Bend, Oregon - Officials across the United States are warning people to be cautious
when outdoors because poison hemlock is spreading rapidly through almost every state.
From Tennessee to Montana, poison hemlock (Conium maculatum) is popping up,
according to Southern California's KTLA 5. NBC4 reported the plant's presence in
Ohio, and King County in Washington has also posted warnings. This highly toxic
plant can be fatal to humans if ingested, even in small quantities. Simply brushing up
• (U) Enable SMB signing. In SMB signing, digital signatures are used to sign SMB packets. This ensures that the
packets have not been tampered with during transmission and verifies the identity of the sender.
(U) Credential Harvesting and File Exfiltration Prevention
• (U) Implement robust password complexity and rotation policies.
• (U) Use strong encryption algorithms or services to encrypt data-at-rest.
• (U) Implement Role-Based Access Control to ensure only authorized users and systems have access to sensitive data.
• (U) Apply the principle of least privilege, granting users only the access necessary for their daily duties.
US Critical Infrastructure Could Become Casualty of Iran-Israel Conflict Cybersecurity
Security researchers are warning that the outbreak of
direct hostilities between Israel and Iran may soon lead to
malicious cyberattacks against critical infrastructure sites
in the U.S. from state-linked actors, hacktivist groups and
cyber criminals. State-backed and hacktivist cyber threats
against Israel and the U.S.’s Middle Eastern allies are
escalating, according to researchers at Radware. Experts
have seen a spike in pro-Iran threat activity on Telegram
and other public channels. Threat actors have warned
Saudi Arabia and Jordan to expect attacks on their critical
infrastructure if they help Israel in its conflict with Iran,
and activist groups have claimed to have disrupted Israeli
radio stations. Source; Cyber Security Dive, 6/16/2025
*Analyst Comment* According to threat researchers at Radware, a surge in pro-Iranian cyber threat actor activity was
observed immediately following the 13 June 2025 Israeli attack on Iran. Radware claims that spikes in activity were seen
in several Telegram chats with pro-Iranian cyber threat groups, and that in some cases the groups issued “warnings” to
other Middle Eastern countries, telling them that if they supported Israel their critical infrastructure operations would be
targeted. Other cyber threat actor groups targeted Israel directly, with one group targeting Israeli media websites and
another targeting Israeli government websites. The effectiveness of their attacks remains unclear. As the U.S. is being
seen as supportive of the Israeli efforts, and the U.S. has directly intervened in the conflict, it is likely that pro-Iranian
threat actors will also attempt to conduct offensive cyber operations against U.S. industries to disrupt operations.
Researchers have also suggested that as Iran’s military capabilities become diminished due to the toll of the continuing
conflict, Iran may increasingly rely on cyber operations to retaliate against Israel and “reassert power and deter further
challenges.” These cyber actions will likely be carried out by state-sponsored hacking groups and “hacktivist” groups that
are closely aligned with Iran. Source; Transit and Rail Intelligence Awareness Daily Report (TRIAD)
PUBLIC SAFETY
Experts issue urgent warning as highly toxic plant spreads rapidly through almost every
US state here's what you need to know
Bend, Oregon - Officials across the United States are warning people to be cautious
when outdoors because poison hemlock is spreading rapidly through almost every state.
From Tennessee to Montana, poison hemlock (Conium maculatum) is popping up,
according to Southern California's KTLA 5. NBC4 reported the plant's presence in
Ohio, and King County in Washington has also posted warnings. This highly toxic
plant can be fatal to humans if ingested, even in small quantities. Simply brushing up