There is growing alarm in the defense cyber community about reports that a China‑linked advanced persistent threat called Salt Typhoon has breached core U.S. telecommunications infrastructure. Those reports, published in mainstream outlets this week, describe intrusions into multiple broadband providers and possible access to systems used to satisfy court‑authorized wiretap requests. Those developments are serious on their own and rightfully demand immediate attention from operators and security leaders. (See sources.)

At the same time I want to be blunt about what is and is not supported by public reporting as of now. Reliable reporting through early October 2024 documents intrusions into telecom vendor networks and concerns about long dwell time in ISP infrastructure. Public confirmation that Salt Typhoon compromised any Army National Guard network for nine months is not present in the reporting available to date. It is tempting to conflate later, more alarming allegations with the early telecom disclosures, but responsible analysis requires separating confirmed telemetry from reasonable but unverified scenarios.

Why the National Guard would be an attractive target

Even without a confirmed Guard compromise, the system architecture that supports state National Guard units makes them plausible targets. State Guard networks are often a mix of mission partners, commercial services, and legacy systems. Modernization efforts such as GuardNet integrations increase operational capability but also increase the attack surface when commercial providers and state systems are interconnected or when common vendor tooling is used across jurisdictions.

From an adversary perspective the payoff of targeting a state Guard network is clear. Access to administrative credentials, network diagrams, or maps of unit locations would serve both intelligence collection and prepositioning objectives. Those artifacts lower the cost of follow‑on intrusions and could be used to identify high value nodes for future disruption. The telecom breaches reported this week illustrate that actors who can reach core communications infrastructure can harvest metadata and service configuration information that is useful for exploiting dependent networks.

What the public reporting says about TTPs

Public coverage indicates the intrusions into broadband providers allowed attackers to copy call records and other traffic metadata and to touch systems used for law enforcement wiretap support. Reported attributes include prolonged access and the ability to copy internet traffic passing through provider networks. Those tactics match a patient espionage approach: exploit vendor or infrastructure weaknesses, establish persistence, and quietly siphon high‑value data over time. (See sources.)

If a state Guard network had been compromised for months, investigators would expect to look for the following signs based on the telecom intrusions and common APT behaviors: unauthorized privileged accounts, lateral movement using harvested credentials, exfiltration to external infrastructure, modifications to routing or access control that enable stealthy persistence, and use of vendor or management channels as covert conduits.

Risk picture and what a nine month dwell would enable

Sustained, undetected access in a military or state defense network would amplify risk on multiple axes:

  • Operational security. Exposure of plans, unit locations, or communications channels undermines tactical confidentiality.
  • Supply chain and trust relationships. Credentials and diagrams permit pivoting into partner networks and vendor ecosystems.
  • Personnel risk. PII for service members and cybersecurity staff can be used for social engineering, coercion, or targeting.

None of these outcomes is hypothetical to an attacker with months of access. The telecom reporting should therefore be treated as a red flag that requires aggressive hardening across any connected mission networks, including state Guard environments.

Immediate defensive priorities for National Guard and state cyber leaders

Whether or not a specific Guard compromise is confirmed, assume that attackers will try to leverage any trusted pathways between commercial providers and mission networks. The following checklist is operational and actionable for state Guard CISOs, network operators, and security teams:

1) Assume compromise and hunt. Start targeted threat hunting focused on privileged accounts, unusual login times, new administrative accounts, and unusual northbound traffic to external IPs. Post‑compromise indicators of interest include anomalous SSH/HTTPS management sessions and traffic to uncommon ports.

2) Validate segmentation and zero trust controls. Enforce least privilege on management planes. Segment Guard management and orchestration systems from user networks and from any commercial backhaul where possible.

3) Rotate and audit credentials. Replace long‑standing administrative credentials, revoke stale certificates, and enforce hardware MFA for privileged access. Audit service accounts and third party vendor access.

4) Harden network devices and patch immediately. Prioritize patching for routers, switches and VPN concentrators. Disable unused management interfaces and block remote management from the public internet.

5) Improve logging and retention. Ensure device logs and EDR telemetry are centralized and retained long enough for forensic timelines. Correlate logs with ISP notifications and threat intel feeds.

6) Contain and preserve. If compromise is suspected, isolate affected systems, preserve volatile evidence, and engage federal partners for forensic support. Do not reimage or remediate without forensics if you need to support attribution or broader mitigation across dependent networks.

7) Coordinate with federal and state partners. Share indicators with CISA, FBI and state fusion centers. Coordinated response limits attacker freedom to pivot between jurisdictions.

8) Exercise and plan for degradation. Run tabletop exercises that assume communication channels will be degraded or monitored. Prepare resilient, out‑of‑band communications for command and control during crises.

Communicate clearly to leaders and operators

Operational leaders want clear statements about mission impact. Telling them “we do not currently have verified evidence of a nine month compromise of Guard networks” is different from saying “we are not at risk.” The right posture is honest, urgent, and prescriptive: acknowledge the telecom intrusions, treat interconnected state defense networks as higher risk, and act now to harden, hunt, and prepare fallback options.

Final takeaways

The telecom intrusions attributed to Salt Typhoon are a major escalation in terms of scale and sensitivity of data at risk. If later reporting confirms a prolonged Army National Guard compromise, it would represent another painful example of how adversaries exploit weak links at the state and vendor level to reach mission systems. Until that confirmation exists in public reporting I will not present the National Guard compromise as a verified fact.

But the operational reality is unchanged. Any state or mission network that depends on commercial telecommunications or shared vendor tooling must treat this moment as a crisis for immediate remediation. Assume an adversary is capable of long dwell and lateral movement. Harden the basics first, then hunt and coordinate. In cybersecurity the cost of ignoring reasonable risk signals is measured in months of lost visibility and years of cleanup. Act like your mission depends on it, because it does.