Chinese Cyberattack on FBI Systems Reveals Sensitive Surveillance Processes in Ongoing Investigations
Suspected Chinese hackers breach FBI's surveillance system, triggering a major cybersecurity incident classification.
The FBI has declared a suspected Chinese cyberattack on its internal surveillance management system a 'major incident' under federal law, the most serious cybersecurity designation available, after hackers accessed data from active law enforcement investigations.
The breach, first detected on 17 February 2026 when FBI analysts noticed abnormal log activity, targeted an unclassified internal network containing call metadata, surveillance returns, and the personal details of people under active FBI investigation.
The bureau alerted Congress in early March and confirmed the incident publicly in a statement to TechCrunch, saying it had 'identified and addressed suspicious activities on FBI networks.' By 1 April 2026, Politico reported that the FBI had formally classified the intrusion as a 'major incident' under the Federal Information Security Modernization Act (FISMA), a threshold that triggers mandatory congressional notification within seven days.
What Was Compromised Inside the FBI's Surveillance Network
The targeted system is an internal, unclassified network used to manage court-authorised surveillance operations, including those conducted under the Foreign Intelligence Surveillance Act (FISA). Multiple specialist outlets, including Aardwolf Security and Fliegerfaust, identify it as the Digital Collection System Network (DCS-3000), sometimes referred to internally as Red Hook. That identification has not been officially confirmed by the FBI or Department of Justice.
The FBI's own congressional notification, reviewed by Politico, described what the compromised system holds in precise terms. The notice states: 'The affected system is unclassified and contains law enforcement sensitive information, including returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.'
Pen registers and trap-and-trace devices are tools used by law enforcement to capture call metadata. A pen register logs the phone numbers dialled from a monitored line; a trap-and-trace device records which numbers contact that line. Together, they map entire communication networks of anyone under FBI surveillance. The significance of an adversary obtaining this data is that it reveals not just what the FBI knows, but precisely who the bureau is watching.
Although no interception of actual call content has been confirmed, CPO Magazine notes that the breach of metadata alone could allow a foreign intelligence service to identify undercover assets, expose ongoing criminal investigations, and reveal which of their own operatives the FBI has compromised.
According to The Register, the FBI's notification to Congress specifically stated the hackers used 'sophisticated techniques' and exploited the infrastructure of a commercial internet service provider (ISP) vendor to gain entry, bypassing the bureau's own perimeter defences entirely.
The FISMA 'Major Incident' Designation and What It Signals
A FISMA 'major incident' is a formal federal classification, not a casual description. FISMA requires any federal agency to notify Congress within seven days of determining that a breach is 'likely to result in demonstrable harm' to US national security, foreign relations, public confidence, or civil liberties.
Cynthia Kaiser, the former deputy assistant director of the FBI's cyber division, told Politico that the designation is rarely applied to the bureau's own systems. 'Thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident every year,' Kaiser said. She added that she is not aware of the FBI making such a determination on a hack affecting its own networks since at least 2020.
Under FISMA's guidelines, an intrusion meets the major incident threshold if it involves the exfiltration or compromise of personally identifiable data, or presents acute risks to national security. The Politico determination, reported on 1 April 2026, suggests the FBI concluded both conditions had been met, indicating the hackers successfully extracted or accessed swathes of data held directly on bureau systems.
The formal declaration carries immediate consequences. It obliges the FBI to brief relevant congressional oversight committees, produce a remediation plan, and submit to scrutiny from the Office of Management and Budget. It also raises the political temperature around the incident significantly, given that the bureau is simultaneously grappling with internal staff reductions and a proposed budget cut of approximately £385 million ($500 million) that critics argue has weakened the very cyber defences now under attack.
Salt Typhoon's Shadow and the Pattern of Chinese Surveillance Targeting
Investigators have not formally named the threat actor responsible for the FBI breach. However, the methods described in the congressional notification closely resemble those used by Salt Typhoon, the advanced persistent threat group linked to China's Ministry of State Security.
Salt Typhoon came to widespread public attention in 2024, when it was revealed to have breached nine major US telecommunications companies, including AT&T, Verizon, and Lumen Technologies. That campaign, described by US officials as the worst telecom hack in American history, gave the group access to call records covering a substantial portion of the US population and allowed it to intercept communications from senior government officials, Trump campaign staffers, and Biden administration personnel. The group also accessed wiretap systems held by those telecoms, according to reporting by CNN.
As Politico noted in its initial coverage, the current FBI breach 'bears some resemblance to the sweeping campaign carried out against global telecommunications systems in 2024' by Salt Typhoon, and Democratic lawmakers as well as some FBI officials had previously warned that telcos had never fully evicted the group from their networks. Ross Filipek, chief information security officer at Corsica Technologies, told Cybernews that if Salt Typhoon's involvement is confirmed, 'the impact could extend beyond a single incident into a sustained counterintelligence problem.'
The FBI breach is the second major hack of US law enforcement data under the current administration. In mid-2025, suspected Russian-linked hackers breached the case management system used by federal judicial districts, accessing sensitive data and reportedly attempting to alter court records in cases involving Russian government suspects. In March 2026 alone, the FBI faced three separate cybersecurity incidents: the surveillance network breach, a disclosure that a 2023 hack of the bureau's New York field office had exposed files from the Jeffrey Epstein investigation, and a breach of FBI Director Kash Patel's personal email, according to the Fliegerfaust breach timeline.
The investigation remains active, and as of 2 April 2026, no formal public attribution to a named threat actor has been issued by the FBI, CISA, or the White House.
© Copyright IBTimes 2025. All rights reserved.
- Recommended For You
