FBI Declares ‘Major Cyber Incident’ After China-Linked Hackers Breach Surveillance System

Something was wrong on February 17. FBI cybersecurity teams flagged suspicious activity on an internal network, an unclassified system that most Americans have never heard of but that sits at the center of how federal law enforcement monitors its highest-priority targets. For weeks, bureau officials worked to assess what had happened behind closed doors. By early March, they had seen enough to alert Congress. And by late March, they had concluded that few inside the bureau wanted to hear.

A China-linked cyber intrusion had breached FBI surveillance infrastructure. And it was severe enough to warrant one of the most serious classifications available under federal data security law.

Beijing’s Digital Fingerprints on FBI Networks

FBI officials notified Congress last week that the breach now qualifies as a “major incident” under the Federal Information Security Modernization Act of 2014, known as FISMA. According to one congressional aide and two U.S. officials with knowledge of the matter, the intrusion poses serious risks to national security. Fox News reported the hack targeted FBI systems in the U.S. Virgin Islands, not bureau headquarters in Washington.

FISMA mandates that federal agencies inform lawmakers within seven days of determining that a cyber intrusion will likely result in demonstrable harm to national security. Bureau officials first contacted Congress on March 4, reporting suspicious activity on an internal system containing law enforcement-sensitive information. At that point, investigators had not named a culprit. China was suspected from the start. Weeks later, the FBI elevated the breach to major incident status, triggering mandatory congressional briefings and interagency response protocols.

Cynthia Kaiser, former deputy assistant director of the FBI’s Cyber Division, put the designation in sharp relief. “Thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident every year,” Kaiser said. She added that, to the best of her knowledge, the bureau has not made such a determination on a hack affecting its own networks since at least 2020.

Inside Red Hook

What did the hackers access? Multiple specialist outlets, including Aardwolf Security and Fliegerfaust, identify the compromised system as an unclassified component of the FBI’s Digital Collection System Network (DCSNet), specifically DCS-3000, a subsystem referred to internally as Red Hook. Neither the FBI nor the Department of Justice has confirmed that identification.

Red Hook processes pen register and trap-and-trace surveillance operations, tools that allow federal investigators to monitor calls made to or from a specific phone or track websites visited by an internet-connected device. While these instruments do not capture actual call content, they collect metadata with enormous intelligence value. Dialed numbers, routing data, and the identities of individuals under active FBI investigation all reside within the system.

For a foreign intelligence service, that metadata functions as a counterintelligence goldmine. Access to a target list would reveal which operatives or assets the bureau was watching, allowing an adversary to warn its own agents, alter communication patterns, or feed disinformation back through compromised channels.

According to the FBI’s congressional notice, the affected system contained returns from legal process, including pen register and trap-and-trace surveillance returns, as well as personally identifiable information about subjects of FBI investigations.

How Hackers Slipped Through

Attackers did not brute-force their way through FBI firewalls. Instead, they exploited a commercial Internet Service Provider’s vendor infrastructure, using a third-party telecom provider as a springboard into federal networks. In its notice to lawmakers, the bureau described the approach as a reflection of advanced operational skill.

Piggybacking off commercial telecom infrastructure has become a hallmark of Chinese state-sponsored cyber campaigns. Between 2019 and 2024, a threat actor known as Salt Typhoon used similar methods to penetrate all three major U.S. cellular carriers, siphoning call records from tens of millions of Americans and accessing FBI wiretap infrastructure in the process. No hacking group has been named in connection with the current intrusion, but investigators have focused attention on Salt Typhoon given the overlapping tactics and infrastructure.

U.S. intelligence agencies have linked Salt Typhoon to China’s Ministry of State Security (MSS). Its 2024 telecommunications campaign ranks among the largest intelligence compromises in American history, having breached at least eight domestic telecom and internet service providers and dozens more worldwide. Operatives obtained unencrypted communications from senior U.S. officials, including then-presidential candidate Donald Trump.

On February 19, just two days after the FBI detected suspicious activity on its own network, the bureau’s deputy assistant director for cyber intelligence told a cybersecurity conference that threats from Salt Typhoon and other Chinese espionage groups remain active and ongoing.

A Pattern Too Large to Dismiss

Salt Typhoon is not operating in isolation. A separate Chinese hacking group, Volt Typhoon, has burrowed into American critical infrastructure, from ports and water facilities to energy substations. Together, these campaigns represent a sustained, multi-front cyber offensive by Beijing that stretches well beyond traditional espionage into the physical systems that keep the country running.

Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, responded to news of the FBI breach with a pointed warning. “This incident is yet another stark reminder that the threat from sophisticated cyber adversaries like China has not gone away — in fact, it’s growing more aggressive by the day,” Warner said.

One unnamed U.S. official offered a blunter assessment, speaking about Chinese state hackers. “This is just a reminder that any unpatched vulnerability or any architectural weakness is going to be exploited by an adversary of this caliber,” the official said. That same official noted the FBI had acted fast to address the incident but acknowledged it was “embarrassing” for the bureau to be compromised by the very hackers it is supposed to be tracking.

An Iranian Wrinkle

While China dominated the cybersecurity headlines, a separate and unrelated threat was closing in on FBI leadership. On March 27, Iran-linked hacking group Handala claimed to have breached FBI Director Kash Patel’s personal email account, publishing several images of the director and documents allegedly taken from his inbox. Most emails dated from 2012 to 2014, though at least one appeared to be from 2022.

In a statement, the FBI confirmed the agency was aware of malicious actors targeting Patel’s personal email information and had taken steps to mitigate potential risks. Bureau officials stressed that the compromised material was historical in nature and contained no government information.

Handala’s operations have extended well beyond Patel. DOJ officials confirmed the group was responsible for a devastating hack of Michigan-based medical device manufacturer Stryker, an attack that wiped roughly 200,000 devices and exfiltrated large quantities of data. Justice Department prosecutors have tied Handala operatives to Iran’s Ministry of State Security and posted a $10 million bounty for information leading to their identification.

Handala also claimed to have stolen the names and personal details of two dozen Lockheed Martin employees, though the defense contractor said it found no evidence of any impact to its systems or data. Iran’s cyber aggression continues even as the Iran war stretches into its second month, and even after Israeli Defense Forces struck Iran’s cyber warfare headquarters and intelligence directorate earlier in March.

White House Mobilizes a Response

By early March, the scope of the surveillance system breach had reached the highest levels of government. Senior White House officials convened a meeting that brought together representatives from the FBI, National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) to coordinate a response.

Under FISMA, a major incident declaration should trigger a formal interagency cyber response mechanism. Whether that mechanism has been fully activated remains unclear. Equally uncertain is whether investigators have contained the intrusion. In its only public statement, the FBI said it had identified and addressed suspicious activities on its networks and was using all available technical capabilities to respond.

Congressional oversight committees now expect classified briefings as part of the FISMA notification process. A remediation plan must be submitted, and the Office of Management and Budget will review the bureau’s handling of the incident.

All of this unfolds against a backdrop of considerable institutional strain. Reports indicate the FBI is managing proposed budget cuts of approximately $500 million and internal staff reductions at the same time, conditions that cybersecurity experts warn could hamper the bureau’s ability to defend its own networks going forward.

Diplomacy Meets Cyber Warfare

View this post on Instagram

A post shared by Matt Johansen (@mattjayy)

Timing has never been kind to U.S.-China relations, and this breach is no exception. Director Patel traveled to Beijing earlier this year to press Chinese officials on fentanyl precursor chemicals flowing to South and Central America. President Trump is now scheduled to meet Chinese President Xi Jinping on May 14-15 in Beijing, a summit originally planned for late March but postponed because of the U.S.-Israel military operation against Iran.

A cybersecurity breach of this magnitude will almost certainly shadow the diplomatic agenda. For decades, Washington and Beijing have engaged in a careful dance around cyber espionage, with each side publicly condemning the other’s operations while quietly accepting them as an inevitable feature of great power competition. But an intrusion into the FBI’s own surveillance systems crosses a threshold that even the most cautious diplomats will find difficult to ignore.

Former FBI Director Chris Wray once noted that bureau agents opened a new counterintelligence case involving China roughly every 12 hours. Under Director Patel, that pace shows no sign of slowing. If anything, the latest breach confirms that Beijing’s cyber capabilities continue to outpace many of the defenses designed to stop them.

How much of that reality President Trump raised during his May summit remains an open question, one that carries implications far beyond a single hacked server in the U.S. Virgin Islands.