The FBI last week deemed a recent China-linked cyber intrusion into a sensitive agency surveillance system a “major incident,” meaning it poses a significant risk to U.S. national security, according to a congressional aide and two U.S. officials with knowledge of the matter.
The bureau first told Congress on March 4 that it was investigating suspicious activity on an internal agency system that contained “law enforcement sensitive information.” The FBI did not publicly say who was behind the activity at the time, but Politico previously reported that China was suspected.
The FBI determined that the intrusion met the definition of a major incident under the federal data security law known as FISMA, the three people said. Congress was informed of the decision earlier this week, according to the aide. This person, like others in this report, was granted anonymity because they were not authorized to speak publicly on the investigation.
The determination shows that hackers have successfully compromised massive amounts of sensitive data stored directly on FBI systems, potentially signaling a major counter-intelligence coup for China. FISMA requires agencies to report to lawmakers within seven days about any digital intrusion that is “likely to result in direct harm” to U.S. national security.
Cynthia Kaiser, former deputy assistant director of the FBI’s cyber division, said she was not aware of the FBI making any such decision on a hack affecting its own systems since at least 2020.
“The thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident each year,” Kaiser said.
An FBI spokesperson declined to comment on the announcement, instead referring Politico to an earlier comment made on the incident in early March: “The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond.”
Under the guidelines set by FISMA, an intrusion may meet the major incident threshold if it involves the exfiltration or compromise of personally identifiable data, or presents a serious risk to the national security, foreign relations, public trust, or civil liberties of Americans.
It is unclear what findings prompted the FBI’s determination.
In a March notice to Congress seen by POLITICO, the FBI told lawmakers that unspecified hackers appear to have broken into an agency system by “leveraging the vendor infrastructure of a commercial Internet service provider,” which it called a reflection of the group’s “sophisticated tactics.”
The notice also said the “affected” systems included “returns from legal process, such as pen registers and trap and trace surveillance returns, and personally identifiable information related to the subjects of an FBI investigation.”
Pen registers and trap and trace devices allow law enforcement to monitor calls made to or from a specific phone, or websites visited by an Internet-connected device. Although these devices do not record the content of those communications, the information captured is valuable to foreign intelligence services or organized criminal groups because it can reveal targets of FBI surveillance or criminal investigations.
The breach of FBI surveillance systems does not appear to be linked to the recent Iran-related compromise of FBI Director Kash Patel’s personal emails. It’s the latest sign that Chinese hackers have advanced to the point where they are consistently able to break into some of the country’s most sensitive national security systems.
“This incident is another stark reminder that the threat from sophisticated cyber adversaries like China has not gone away – in fact, it is becoming more aggressive by the day,” said Senator Mark Warner (D-Va.), the top Democrat on the Senate Intelligence Committee.
When an agency declares a major incident under FISMA, it is also considered to be triggered. Interagency Cyber Response Mechanism. It is unclear whether this has happened or whether the hack has been contained.
Separate spokespeople for the White House and the Cybersecurity and Infrastructure Security Agency referred the FBI for comment. The NSA did not respond to requests for comment.
The White House hosted a meeting about the breach in early March that included officials from the FBI, NSA and CISA, according to the first US official and the third US official with knowledge of the meeting.
Chinese hackers have previously targeted commercial communications providers to penetrate federal networks or access sensitive national security data.
A Chinese hacking group called Volt Typhoon has penetrated deep inside critical infrastructure including ports, water facilities and energy substations across the United States – while another group called Salt Typhoon has broken into some of the country’s largest telecommunications providers. In the latter hack, first exposed in late 2024, Chinese hackers were able to steal the call records of millions of Americans, view FBI wiretap data, and steal unencrypted communications from the phone of then-presidential candidate Donald Trump.
The first US official said he believed the FBI had taken prompt action to resolve the incident. But he said it was “shameful” for the bureau to be breached by the same hackers it is supposed to be overseeing.
“This is just a reminder that any unpatched vulnerability or any architectural weakness can be exploited by an adversary of this capability,” the person said, referring to Chinese state hackers.
