The Federal Bureau of Investigation (FBI) communicated to Congress that a recent cyber intrusion into one of its internal surveillance systems has formally been classified as a “major incident” under federal data security law. This cybersecurity incident represents one of the most serious breach classifications available under current federal statute and indicates that sensitive FBI law enforcement data may have been substantially compromised.
The Targeted System
The system at the center of the breach is reported to be an unclassified component of the FBI’s Digital Collection System Network (DCSNet), the bureau’s internal infrastructure used to manage court-authorized wiretaps and foreign intelligence surveillance requests; specifically, DCS-3000 (known as Red Hook). The system processes pen register and trap-and-trace surveillance operations, which law enforcement use to monitor calls made to or from a specific phone or websites visited by an internet-connected device. While these tools do not capture the content of communications, they collect call metadata, including numbers dialed, routing data, and the identities of individuals under active FBI investigation.
The potential counterintelligence consequences are considerable given the significant value to foreign intelligence services, as it can reveal the identities and scope of individuals under active federal surveillance. If adversaries accessed the system’s target list, they could potentially identify which of their own operatives or assets the bureau was actively monitoring.
Attribution, Access and Broader Context
The FBI’s notice to Congress stated that unspecified hackers appeared to gain access by “leveraging a commercial Internet Service Provider’s vendor infrastructure,” which the bureau described as a reflection of the group’s “sophisticated tactics.” This method of access is consistent with previously documented Chinese cyber operations, in which threat actors have used commercial telecommunications providers as a springboard into federal networks or to access sensitive national security data.
No hacking group has been formally named in connection with this intrusion. However, investigators have focused attention on Salt Typhoon, a threat actor linked to China’s Ministry of State Security (MSS). Between 2019 and 2024, Salt Typhoon breached all three major U.S. cellular providers, siphoning call records from tens of millions of Americans and accessing FBI wiretap infrastructure in the process.
The FBI breach is separate from a recently reported Iranian-linked compromise of FBI Director Kash Patel’s personal emails. It is, however, the latest in a series of high-profile intrusions attributed to Chinese state-sponsored actors. Two Chinese hacking groups in particular have drawn sustained federal attention: Volt Typhoon, which has embedded itself inside critical U.S. infrastructure including ports, water facilities, and energy substations; and Salt Typhoon, whose telecommunications breaches enabled Chinese operatives to access FBI wiretap data and obtain unencrypted communications from senior U.S. officials, including then-presidential candidate Donald Trump.
Government Response
Under the Federal Information Security Modernization Act of 2014 (FISMA), a major incident declaration – considered a significant cyber incident – is also supposed to trigger an interagency cyber response mechanism, as “they are likely to result in demonstrable harm to the national security interests.” Congressional oversight committees are expected to receive classified briefings as part of the FISMA notification process. It remains unclear whether that mechanism has been formally activated or whether the intrusion has been fully contained.
The White House convened a meeting in early March that included senior officials from the FBI, the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA). The investigation is ongoing, with the FBI working alongside CISA and the NSA to assess the full extent of the compromise. The full scope of what was accessed or exfiltrated since the Februay 17 discovery of suspicious activity has not been publicly disclosed.
President Donald Trump also is scheduled to meet with Chinese President Xi Jinping on May 14 in Beijing, as the initial meeting for March had been postponed.
