TL;DR: Salt Typhoon reportedly dwelled inside an Army National Guard network for nine months, exfiltrating personnel and mapping data while also intercepting communications with other Guard networks and US territories, according to Swarmnetics citing a DHS memo. Long dwell times in high-security environments show that detection, segmentation, and cross-network trust assumptions remain brittle under sustained state-sponsored pressure.
NHIMG editorial — based on content published by Swarmnetics covering the Salt Typhoon Army National Guard compromise: Salt Typhoon Chinese State-Sponsored Hackers Dwelled in an Army National Guard System for Nine Months
Questions worth separating out
Q: What breaks when an attacker lives inside a trusted network for months?
A: When an attacker remains inside a trusted network for months, the control model usually breaks before the attacker does.
Q: Why do connected defence networks increase the impact of one breach?
A: Connected defence networks increase impact because compromise in one enclave can expose routes, relationships, and communications into others.
Q: How do security teams know if identity-based segmentation is actually working?
A: Teams should test whether a compromised or simulated compromised host can reach anything beyond the minimum required set of services.
Practitioner guidance
- Harden east-west detection Instrument internal network monitoring for unusual authentication patterns, repeated access to mapping or personnel repositories, and anomalous cross-domain traffic between Guard-like enclaves and partner systems.
- Re-scope cross-network trust Inventory every persistent connection between trusted systems and require explicit re-validation for communications that cross state, territory, or mission boundaries.
- Reduce internal privilege persistence Review administrative and service access that can reach multiple systems, then remove standing privilege where the same identity can touch both operational and sensitive data stores.
What's in the full analysis
Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:
- The DHS memo context and how reporters interpreted the reported dwell time across 2024.
- The wider Salt Typhoon campaign background, including prior intrusions into telecoms and ISPs.
- The specific communications and network impacts attributed to the National Guard compromise.
- The article's discussion of how China-linked hackers use contractors, zero-days, and unpatched vulnerabilities.
👉 Read Swarmnetics' analysis of the Salt Typhoon Army National Guard compromise →
Salt Typhoon in the Army Guard network: what did defenders miss?
Explore further
Long dwell time is a governance failure, not just a detection miss. When an attacker can remain inside a defence network for most of a year, the problem extends beyond alerting thresholds and into trust design, access scoping, and response ownership. The incident suggests that internal identities and connections were allowed to remain more trustworthy than they should have been. Practitioners should treat dwell time as evidence that the control model failed to force re-validation inside the environment.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when a defence network compromise spreads across connected systems?
A: Accountability sits with the owners of the systems that share trust, not just the team that first detects the intrusion. When a breach spreads across connected systems, security, network, identity, and mission owners all share responsibility for the trust paths that made movement possible. Governance should define who can revoke links, who can isolate enclaves, and who owns recovery decisions.
👉 Read our full editorial: Salt Typhoon's Army Guard dwell time exposes national security gaps