The FBI last week deemed a recent, China-linked cyber intrusion into a sensitive agency surveillance system a “major incident,” meaning it poses significant risks to U.S. national security, according to one congressional aide and two U.S. officials with knowledge of the matter.
The bureau first told Congress on March 4 that it was investigating suspicious activity on an internal agency system that contained “law enforcement sensitive information.” The FBI did not publicly identify who was behind the activity at the time, but POLITICO previously reported that China is suspected.
The FBI determined the intrusion meets the definition of a major incident under a federal data security statute known as FISMA, said the three people. Congress was informed of the decision earlier this week, according to the aide. This person, like others in this report, was granted anonymity because they were not authorized to speak publicly on the investigation.
The determination suggests the hackers successfully compromised swathes of sensitive data stored directly on FBI systems, likely marking a major counterintelligence coup for China. FISMA requires agencies to tell lawmakers within seven days about any digital intrusion it has determined is “likely to result in demonstrable harm” to U.S. national security.
Cynthia Kaiser, the former deputy assistant director of the FBI’s cyber division, said she is not aware of the FBI making any such determination on a hack affecting its own systems since at least 2020.
“Thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident every year,” Kaiser said.
The FBI did not respond to a request for comment.
Under guidelines set by FISMA, an intrusion can meet the major incident threshold if it involves the exfiltration or compromise of personally identifiable data, or presents acute risks to the national security, foreign relations, public confidence or civil liberties of Americans.
It is not clear what finding triggered the FBI determination.
In the March notice to Congress viewed by POLITICO, the FBI told lawmakers that unspecified hackers appeared to break into an agency system by “leveraging a commercial Internet Service Provider’s vendor infrastructure,” which it described as a reflection of the group’s “sophisticated tactics.”
The notice also said the “affected” system contained “returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.”
Pen register and trap and trace devices allow law enforcement to monitor calls made to or from a specific phone, or websites visited by an internet-connected device. While these tools do not record the content of those communications, the information captured is valuable to foreign intelligence services or organized criminal groups because it could reveal the targets of FBI surveillance or criminal probes.
The breach of the FBI surveillance system does not appear to be connected to a recent Iranian-linked compromise of FBI Director Kash Patel’s personal emails. It is the latest sign that Chinese hackers have advanced to the point where they are consistently able to penetrate some of the country’s most sensitive national security systems.
“This incident is yet another stark reminder that the threat from sophisticated cyber adversaries like China has not gone away — in fact, it’s growing more aggressive by the day,” said Sen. Mark Warner (D-V.A.), the top Democrat on the Senate Intelligence Committee.
When an agency declares a major incident under FISMA, it is also supposed to trigger an interagency cyber response mechanism. It is unclear whether that has happened or if the hack has since been contained.
Separate spokespeople for the White House and the Cybersecurity and Infrastructure Security Agency referred to the FBI for comment. The NSA did not respond to requests for comment.
The White House hosted a meeting about the breach that included officials from the FBI, NSA and CISA in early March, according to the first U.S. official and a third U.S. official with knowledge of the meeting.
Chinese hackers have previously targeted commercial communications providers as a springboard into federal networks or to access sensitive national security data.
One Chinese hacking group dubbed Volt Typhoon has burrowed deep inside critical infrastructure across the United States — including ports, water facilities and energy substations — while a second group labeled Salt Typhoon has breached some of the country’s largest telecommunications providers. In the latter hack, first uncovered in late 2024, Chinese hackers were able to siphon off call records from millions of Americans, view FBI wiretap data and steal unencrypted communications from the phone of then-presidential candidate Donald Trump.
The first U.S. official said they believed the FBI had acted quickly to address the incident. But they noted it was “embarrassing” for the bureau to be breached by the same hackers it is supposed to be tracking.
“This is just a reminder that any unpatched vulnerability or any architectural weakness is going to be exploited by an adversary of this caliber,” said the person, referring to Chinese state hackers.
