FBI classifies suspected Chinese breach of U.S. surveillance system as a major cyber incident

What the FBI disclosed

The FBI has formally labeled a suspected Chinese breach of one of its surveillance-related systems a major cyber incident, a designation that signals the agency believes the intrusion may have caused serious harm to U.S. national security.

Under the Federal Information Security Modernization Act, or FISMA, agencies must notify lawmakers within seven days when they determine a digital intrusion is likely to cause “demonstrable harm” to national security. That threshold is not exactly casual. It is also, as former FBI cyber official Cynthia Kaiser noted, not one agencies reach very often.

“Thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident every year,” said Kaiser, who served as the FBI’s former deputy assistant director for cyber.

Kaiser said she was not aware of the FBI making a similar determination about a breach affecting its own systems since at least 2020.

An FBI spokesperson declined to discuss the declaration and instead pointed to an earlier statement from March: “FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond.”

What was hit

FISMA guidance says an intrusion can qualify as a major incident if it involves the theft or compromise of personally identifiable information, or if it poses serious risks to Americans’ national security, foreign relations, public confidence or civil liberties.

It is still unclear what specific finding pushed the FBI over that line.

In a March notice to Congress reviewed by POLITICO, the bureau said unidentified hackers appeared to have entered an FBI system by “leveraging a commercial Internet Service Provider’s vendor infrastructure,” which the agency described as evidence of the group’s “sophisticated tactics.”

That same notice said the affected system contained “returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.”

Pen register and trap and trace tools let law enforcement monitor calls to and from a particular phone, or websites visited by an internet-connected device. They do not capture the content of the communication, which is a small comfort if you are one of the people being watched. The data they do collect can still be highly useful to foreign intelligence services or criminal groups because it can reveal who the FBI is watching and why.

Why this matters

The breach does not appear to be connected to a separate Iranian-linked compromise of FBI Director Kash Patel’s personal email account. Instead, it looks like another sign that Chinese hackers have reached a level where they can repeatedly penetrate some of the most sensitive parts of the U.S. national security apparatus.

Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, said the episode underscores the scale of the threat.

“This incident is yet another stark reminder that the threat from sophisticated cyber adversaries like China has not gone away - in fact, it’s growing more aggressive by the day,” Warner said.

When an agency declares a major incident under FISMA, it is also supposed to trigger an interagency cyber response mechanism. Whether that happened here, or whether the hack has now been contained, remains unclear.

The White House and the Cybersecurity and Infrastructure Security Agency both declined to address the matter directly and referred questions to the FBI. The National Security Agency did not respond to requests for comment.

According to the first U.S. official and a third U.S. official familiar with the matter, the White House held a meeting in early March about the breach with officials from the FBI, NSA and CISA.

Part of a broader pattern

Chinese hackers have long targeted communications providers as a way into federal networks or as a route to sensitive national security data.

One group known as Volt Typhoon has quietly embedded itself in critical infrastructure across the United States, including ports, water facilities and energy substations. Another group, Salt Typhoon, has breached some of the country’s largest telecom companies.

In the Salt Typhoon case, first exposed in late 2024, Chinese hackers were able to siphon call records from millions of Americans, view FBI wiretap data and steal unencrypted communications from the phone of then-presidential candidate Donald Trump.

A U.S. official said they believed the FBI moved quickly to address the latest incident. Still, that did not make it less awkward for the bureau to be breached by the same hackers it is supposed to be tracking.

“This is just a reminder that any unpatched vulnerability or any architectural weakness is going to be exploited by an adversary of this caliber,” the official said, referring to Chinese state hackers.