In late 2024, I wrote a blog outlining how a Chinese state-sponsored Advance Persistent Threat (APT) actor —tracked as Salt Typhoon—compromised several major U.S. Internet Service Providers (ISPs) by exploiting CALEA-mandated lawful intercept systems. The breach gained them access to sensitive metadata, unencrypted communications, and lawful wiretap channels. At the time it was clear this was a serious breach of privacy and national security. Now we have clear evidence that it was just the first step.
According to a recent Department of Homeland Security (DHS) report obtained through a FOIA request and released by NBC News, Salt Typhoon went on to compromise the network of a U.S. state’s Army National Guard from March to December 2024, exfiltrating critical network configurations, administrative credentials, and inter-state data traffic from all 50 states and at least four U.S. territories. The report warns that this breach could hamstring U.S. states’ ability to defend critical infrastructure during a crisis, particularly if Salt Typhoon leveraged this information to pre-position itself across state-level cyber networks.
This is not an isolated attack. It is a coordinated campaign of escalation. It carries direct implications for critical infrastructure sectors that rely on state and federal cyber coordination, including gas, water, power, critical telecommunications, and transportation.
A Strategic Escalation, Not an Isolated Breach
The DHS report indicates that Salt Typhoon’s operations appear to follow a purposeful progression:
- Phase 1: Surveillance and Positioning
Beginning in early 2023, this APT exploited multiple Critical Vulnerability Exploits (CVEs)[1] across leased IP addresses to breach backbone telecom providers. By mid-2024 they had stolen over 1,400 configuration files from at least 70 U.S. government and infrastructure entities across 12 critical infrastructure sectors—including energy, water, communications, gas, and transportation.
- Phase 2: Pivot into National Guard Network
From March to December 2024, Salt Typhoon used this knowledge to infiltrate a state’s Army National Guard network. What they took included:
- Admin credentials;
- Network diagrams;
- Geographic maps of state operations;
- PII of service members and cybersecurity staff; and
- Data exchanged with National Guard units in every state and multiple territories.
- Phase 3: [Anticipated] Fusion Center Targeting
In 14 U.S. states, Army National Guard units are embedded in state fusion centers—the nerve centers of interagency cyber response. These units augment their respective state’s cybersecurity defenses. Salt Typhoon operators now likely have insights into these center’s configurations, communications flows, staffing, and locations. It is not a large leap to deduce that this is the likely next (or current) target that Salt Typhoon has set its sights on.
This is not simply network espionage. It is highly likely that this is preparatory targeting for future disruption, which clearly aligns with the historical pattern of attacks from Chinese-sponsored APTs including Salt Typhoon, Volt Typhoon, Evasive Panda, and others.
Why This Matters to the Transportation Sector
While Salt Typhoon has not yet been reported directly targeting the trucking or logistics industry the implications are serious:
- Fusion Centers Support Emergency Freight Movement
- In crisis response scenarios—hurricanes, ransomware attacks, or national emergencies—fusion centers (and related Army National Guard units) often help to direct fuel, secure routes, and safeguard transportation corridors.
- If those coordination nodes are compromised, response delays or miscommunications could have real-world operational impacts.
- Telemetry and Communication Risks
- The earlier breach of telecom providers gave Salt Typhoon access to plaintext communications, metadata, and even wiretap channels. This had the potential to expose all manner of dispatch, telematics, or mobile communications used by transportation organizations that rely on unsecured cellular networks.
- Configuration Theft Enables Further Network Intrusions
- Stolen configuration files could allow attackers to identify vulnerable routers or edge devices used in commercial fleets, especially if these systems were deployed with standard templates of default configurations.
DHS Recommendations and Industry Response
The DHS report outlines critical priorities that all operators—civilian or military—should implement basic cyber hygiene principles such as:
- Harden network segmentation and firewalls;
- Encrypt data in transit and at rest;
- Disable unnecessary services and apply least-privilege access;
- Regularly rotate passwords and audit credential exposure; and
- Track and secure all assets.
These practices are not just good cybersecurity hygiene—they are foundational to ensuring operational resilience. The NMFTA’s Cybersecurity Best Practices Guidebook series contains additional guidance that transportation cybersecurity professionals should implement to further secure their operations against these types of sophisticated and persistent threats.
Final Thoughts
Salt Typhoon’s campaign illustrates that their targeting aperture is not limited to national-level infrastructure or federal entities. State-level networks are clearly fair game in global cyber operations. These networks are no longer peripheral, they are entry points into the systems that we depend on to respond to cyberattacks, move goods, deliver water and electricity, and maintain continuity of operations across the nation.
Let’s be clear: The same adversary that targeted the telecoms backbone infrastructure in both the U.S. and Canada has now been shown to have also targeted the systems designed to defend our communities.
But we are not helpless.
We have the knowledge, the tools, and the operational maturity to make it harder for our adversaries to move freely. This means closing off unnecessary access points, keeping a clear record of what connects to what (and who can access what), and refusing to rely on outdated assumptions about who might be in the crosshairs of nation-state backed APTs.
Strong, well-managed systems and a security-aware workforce are our best defense. If we work together, across industries and agencies, we can make sure the next intrusion attempts hit a wall instead of a window. The call to act is now… Not after you are the victim of a cyber event.
To dive more into this topic and to connect with like-minded peers, attend NMFTA’s Cybersecurity Conference set for October 26-28 in Austin, TX. Meet our fleet speakers and reserve your space today: www.nmftacyber.com.
[1] https://nvd.nist.gov/vuln/detail/cve-2023-20198 and https://nvd.nist.gov/vuln/detail/cve-2023-20273
