By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: SwarmneticsPublished July 23, 2025

TL;DR: Salt Typhoon reportedly dwelled inside an Army National Guard network for nine months, exfiltrating personnel and mapping data while also intercepting communications with other Guard networks and US territories, according to Swarmnetics citing a DHS memo. Long dwell times in high-security environments show that detection, segmentation, and cross-network trust assumptions remain brittle under sustained state-sponsored pressure.


At a glance

What this is: This is an analysis of Salt Typhoon's reported nine-month presence in an Army National Guard network and the resulting exposure of personnel data, maps, and communications links.

Why it matters: It matters because long-dwell compromise in a defence environment shows how identity, access, and trust boundaries can fail even when perimeter security appears strong.

👉 Read Swarmnetics' analysis of the Salt Typhoon Army National Guard compromise


Context

A long-dwell compromise is one where an intruder remains inside a network for months while blending into normal activity. In this case, the reported issue is not just intrusion, but the failure to detect lateral movement and communications interception across connected defence networks.

For IAM and PAM teams, the identity lesson is straightforward: once an attacker reaches trusted internal systems, standing access, weak segmentation, and over-broad trust between related networks can turn one foothold into a wider operational problem. The Guard case looks more like a monitoring and trust-boundary failure than a single-point compromise.


Key questions

Q: What breaks when an attacker lives inside a trusted network for months?

A: When an attacker remains inside a trusted network for months, the control model usually breaks before the attacker does. Internal trust, broad segmentation, and weak identity scoping let the intruder blend into normal operations, gather data, and pivot to adjacent systems. The real failure is not only detection delay. It is the inability to force re-verification once trust has already been extended.

Q: Why do connected defence networks increase the impact of one breach?

A: Connected defence networks increase impact because compromise in one enclave can expose routes, relationships, and communications into others. If trust is propagated across systems without continuous verification, one foothold becomes a relay point for collection and disruption. That is why segmentation and authenticated links must be treated as attack surfaces, not as proof of safety.

Q: How do security teams know if identity-based segmentation is actually working?

A: Teams should test whether a compromised or simulated compromised host can reach anything beyond the minimum required set of services. If lateral movement, management-plane access, or service-to-service discovery still succeeds, segmentation is too coarse. Effective segmentation shows up as denied pathways, reduced reachable surface, and a clear separation between user, management, and critical workloads.

Q: Who is accountable when a defence network compromise spreads across connected systems?

A: Accountability sits with the owners of the systems that share trust, not just the team that first detects the intrusion. When a breach spreads across connected systems, security, network, identity, and mission owners all share responsibility for the trust paths that made movement possible. Governance should define who can revoke links, who can isolate enclaves, and who owns recovery decisions.


Technical breakdown

How long-dwell intrusion persists inside trusted networks

A long-dwell intrusion succeeds when attackers can operate inside a network without tripping the signals defenders rely on for containment. The group described in the source appears to have blended reconnaissance, exfiltration, and communications interception into normal traffic patterns, which is why the compromise persisted for months. In environments that depend on trust between internal systems, this kind of activity is often missed until multiple assets are already affected. The technical problem is not only entry, but the absence of effective detection, segmentation, and identity-based restriction once internal access exists.

Practical implication: tighten internal detection around east-west movement and anomalous trust use, not just perimeter access.

Why communications trust becomes a second attack surface

The article shows that access to one state network was used to observe or intercept communications with other Guard networks and US territories. That pattern matters because connected environments often assume authenticated links are inherently safe, even when one endpoint is already compromised. Once traffic between trusted systems can be observed or influenced, the attacker gains situational awareness and can expand impact without needing new entry points. This is a classic trust-propagation problem, where the boundary is not the device but the relationship between systems.

Practical implication: review inter-network trust paths as attack surfaces and enforce stronger verification on cross-domain communications.

What exfiltration from defence systems reveals about access control

The reported theft of maps and personnel information suggests the attacker reached data and systems that should have been segmented by sensitivity and mission need. In practical terms, exfiltration at this level often reflects too much internal reach once a foothold is gained, rather than a single missing external control. Where privileged accounts, service identities, or administrative sessions are not tightly constrained, attackers can move from observation to collection quickly. The mechanism is simple: access is more valuable when it is reusable across multiple systems and data sets.

Practical implication: apply stronger least-privilege boundaries and session controls to internal users, admins, and service identities.


Threat narrative

Attacker objective: The objective appears to have been long-term espionage and positioning for broader disruption of defence communications and related infrastructure.

  1. Entry likely began with a foothold into an Army National Guard environment that was not detected for months, giving the attacker time to operate quietly inside trusted systems.
  2. Once inside, the threat actor leveraged internal access to observe communications, gather maps, and collect personnel information from connected systems.
  3. The impact extended beyond one state network because the compromise exposed communications with other Guard networks and US territories.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Long dwell time is a governance failure, not just a detection miss. When an attacker can remain inside a defence network for most of a year, the problem extends beyond alerting thresholds and into trust design, access scoping, and response ownership. The incident suggests that internal identities and connections were allowed to remain more trustworthy than they should have been. Practitioners should treat dwell time as evidence that the control model failed to force re-validation inside the environment.

Cross-network trust propagation is the real blast-radius issue. The report that communications with other Guard networks and US territories were intercepted shows how one compromised node can become a multiplier. That is a ZTA problem as much as a monitoring problem, because trust assumptions should shrink after compromise rather than expand. Practitioners should assume every connected enclave can become a relay point unless strong segmentation and continuous verification are in place.

Defence environments need identity controls for internal movement, not only external access. Once attackers are authenticated inside a network, the distinction between user, admin, and service access becomes the deciding factor in whether they can collect data and pivot. This is where IAM, PAM, and NHI governance intersect directly with national security operations. Practitioners should focus on internal privilege constraints, session boundaries, and cross-system trust reviews.

Salt Typhoon-style operations reward slow, quiet persistence over noisy exploitation. The campaign profile described in the article suggests a threat actor that can trade speed for durability, which makes traditional incident response timing too reactive. That shifts the practitioner question from whether an intrusion is blocked to whether it is confined before it becomes operationally useful. Practitioners should design for containment under assumed compromise, not just prevention.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
  • For a broader view of how identity governance gaps compound under real-world pressure, see Ultimate Guide to NHIs - 2025 Outlook and Predictions.

What this signals

Trust-boundary failure is the signal to watch. When one compromised enclave can still expose adjacent communications, defenders need to assume that internal trust is the attacker’s main accelerator. That makes segmentation, identity re-validation, and internal telemetry the practical control stack, not a secondary hardening exercise.

For programmes that already align to NIST SP 800-207 Zero Trust Architecture, the lesson is that zero trust must be enforced inside the mission network as aggressively as at the edge. If trust does not shrink after compromise, the architecture is not behaving like zero trust.

The broader identity implication is that human, service, and administrative identities should all be treated as movement controls, not just login credentials. Where internal privilege can persist across systems, attackers inherit the organisation’s own trust graph and use it as a routing layer.


For practitioners

  • Harden east-west detection Instrument internal network monitoring for unusual authentication patterns, repeated access to mapping or personnel repositories, and anomalous cross-domain traffic between Guard-like enclaves and partner systems.
  • Re-scope cross-network trust Inventory every persistent connection between trusted systems and require explicit re-validation for communications that cross state, territory, or mission boundaries.
  • Reduce internal privilege persistence Review administrative and service access that can reach multiple systems, then remove standing privilege where the same identity can touch both operational and sensitive data stores.
  • Test containment under assumed compromise Run exercises that start with an already-established foothold and measure how quickly teams isolate the first system, cut lateral paths, and preserve communications integrity.

Key takeaways

  • Salt Typhoon's reported Army Guard presence shows how long-dwell intrusions turn trust relationships into a force multiplier for espionage.
  • The exposure of personnel data, maps, and inter-network communications shows that one foothold can create a wider mission impact than the initial system suggests.
  • Strong internal segmentation, re-authentication at boundaries, and tighter privilege scoping are the controls most likely to contain this kind of compromise.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0010 , ExfiltrationThe article describes sustained access, movement across connected systems, and data theft.
NIST CSF 2.0PR.AC-4Identity and access restrictions are central to limiting internal spread across trusted systems.
NIST SP 800-53 Rev 5AC-6Least privilege is directly implicated by the reported ability to pivot and collect sensitive data.
NIST Zero Trust (SP 800-207)The incident shows why internal trust must be continuously verified across connected environments.

Review internal access boundaries and revalidation controls wherever one compromise can reach multiple enclaves.


Key terms

  • Long-dwell intrusion: A long-dwell intrusion is an attack in which the adversary remains inside an environment for an extended period before being contained. The danger is less about one-time access and more about the attacker learning the network, blending into normal activity, and using trusted pathways to expand reach.
  • Cross-network trust propagation: Cross-network trust propagation happens when trust granted to one system or enclave effectively extends to others connected through authenticated links or operational dependencies. If one trusted node is compromised, the attacker may inherit visibility or access across otherwise separate environments.
  • Internal segmentation: Internal segmentation is the practice of separating systems, data, and trust zones inside the network so compromise in one area does not automatically expose another. It is not just a routing design, but an access-control and monitoring strategy that limits blast radius after initial intrusion.

What's in the full analysis

Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:

  • The DHS memo context and how reporters interpreted the reported dwell time across 2024.
  • The wider Salt Typhoon campaign background, including prior intrusions into telecoms and ISPs.
  • The specific communications and network impacts attributed to the National Guard compromise.
  • The article's discussion of how China-linked hackers use contractors, zero-days, and unpatched vulnerabilities.

👉 Swarmnetics' full post covers the reported dwell time, cross-network interception, and broader campaign context.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and agentic AI identity. It helps identity and security practitioners build the control language needed to govern privileged access and machine-to-machine trust.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org