A China-linked intrusion into an FBI surveillance system first reported in early March has been upgraded to a major incident under the Federal Information Security Modernization Act, with the bureau formally notifying Congress this week. The classification represents the highest cybersecurity alert level available under federal statute and signals that the breach poses demonstrable risk to national security.
The breach predates the Iran-linked Handala Hack compromise of FBI Director Kash Patel’s personal email account on March 27, underscoring that the bureau has faced intrusions from multiple nation-state actors within a matter of weeks.
The FBI first detected abnormal activity on February 17 and publicly acknowledged the investigation on March 6, confirming only that it had identified and addressed suspicious activities on its networks. The fuller picture emerged this week when sources confirmed the bureau’s formal FISMA major incident designation had been communicated to Congress, revealing the scope of the compromised data and confirming the breach was obtained through a third-party ISP.
The compromised system stored data from pen register and trap and trace surveillance operations, tools that capture metadata on who FBI investigation targets are communicating with rather than the content of those communications. Phone numbers of surveillance targets and personally identifiable information tied to subjects of FBI investigations were exposed.
How They Got In
According to the FBI’s notice to Congress, the attackers gained access by leveraging a commercial internet service provider’s vendor infrastructure, a method the bureau described as consistent with the group’s sophisticated tactics. No specific Chinese threat group has been formally named, though investigators have focused attention on Salt Typhoon, the Chinese Ministry of State Security-linked actor responsible for breaching all 3 major US cellular providers between 2019 and 2024 and previously accessing FBI wiretap infrastructure through telecommunications networks. The intrusion method is consistent with Salt Typhoon’s documented playbook of using commercial telecoms as a springboard into federal systems.
The breach was isolated to an unclassified system in the FBI’s Virgin Islands offices, not FBI headquarters. The FBI says it quickly leveraged technical capabilities to remediate the incident, though it remains unclear whether the interagency cyber response mechanism required under FISMA has been fully activated.
What the Exposure Means
The data exposed in this breach is particularly sensitive not because of its classification level but because of what it reveals operationally. Pen register and trap and trace data shows who the FBI is watching. Foreign intelligence services obtaining that information can identify active FBI investigation targets, tip them off, and potentially burn ongoing national security operations. The exposure of PII tied to subjects of FBI investigations compounds that risk.
House Homeland Security Committee Chairman Rep. Andrew Garbarino called the breach further evidence of China’s persistent targeting of US government systems through trusted third-party infrastructure, drawing a direct line to the Salt Typhoon telecommunications campaign. The White House, NSA, and CISA have all joined the investigation.
