Surveillance systems used by the FBI for lawful foreign intelligence interception orders suffered a security breach recently, and investigators believe state-backed Chinese hackers are the culprits based on recent patterns of “suspicious activity.”
Inside sources have told media outlets that the investigation is in its early stages and the full severity and scope remain unknown. The security breach was reportedly first noticed on February 17 and the White House, National Security Agency, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency are all involved in the investigation along with the FBI.
“Unclassifed” FBI surveillance system contained information about investigation subject communications
The inside sources provided a copy of a notification sent by the FBI to Congress as verification of the security breach and investigation. It makes clear that the hackers targeted an unclassified system related to the foreign intelligence surveillance systems used by the FBI during lawful investigations of suspects. It does not specify that the hackers had access to any surveillance target communications, but does list some materials that it contains such as pen register and trap and trace surveillance returns (used to monitor call metadata). It does specify that the personally identifiable information of some persons under investigation was present on the surveillance systems.
Even if it does not involve interception of communications, the breach of the surveillance systems is highly concerning as it could help foreign adversaries identify subjects under investigation. This essentially tells them which of their spies have been identified and potentially compromised.
The memo also contains some information about how the security breach occurred. It states that the hackers used sophisticated techniques and leveraged a commercial internet service provider vendor’s infrastructure to breach the surveillance systems, something both Chinese and Russian state-backed threat actors are notorious for doing. It is unclear at this point which of the numerous Chinese hacking groups may have been involved, however, or if there is any connection to the previous “Salt Typhoon” campaign of targeting US telcos to gain access to law enforcement wiretap systems.
Cyber security breaches at the FBI are not usually disclosed to the public, and tend to only become public knowledge if sensitive information is accessed. One recent prior example is a 2023 breach of the FBI’s New York field office dedicated to investigation of child exploitation, which reportedly contained materials from the Jeffrey Epstein investigation.
Second big federal law enforcement security breach of current Trump term
The security breach of the FBI surveillance systems is the second major incident of the second Trump term to involve federal law enforcement. In mid-2025, suspected Russian state-backed hackers breached the case management system used by federal judicial districts. These hackers not only accessed sensitive data, but attempted to alter court dockets for cases involving figures from Russia and other Eastern Europe nations. The incident brought attention to outdated code and components in these systems, some dating back to the 1990s, and has triggered proposals for both a cybersecurity modernization plan and a Senate and House Judiciary Committee investigation.
Some have pointed the finger for these recent cyber disruptions at sweeping changes and budget cuts implemented by the current administration, particularly involving CISA. Steve Cobb, Chief Information Security Officer at SecurityScorecard, notes that this is not necessarily something that is unique to this administration but is rather a regular feature of total changeovers between administrations and political parties with very different priorities: “The suspicious cyber activity detected within FBI networks highlights the persistent threat facing government systems. These environments often contain highly valuable intelligence and operational data, making them attractive targets for sophisticated cyber actors seeking long-term access or strategic insight. Federal networks often operate in complex environments with large teams, evolving responsibilities, and interconnected technologies.”
“During periods of leadership transition or organizational turnover, maintaining clear visibility across systems becomes even more important. Continuous monitoring and real time threat detection help ensure agencies can quickly identify unusual activity and respond before it escalates. For high value government networks, maintaining that level of oversight around the clock is essential to strengthening resilience against persistent cyber threats,” added Cobb.
While a specific team of Chinese hackers has not yet been named, suspicion for the surveillance systems breach naturally turns to Salt Typhoon. The elite threat actor, which is thought to be directly supported by the Chinese Ministry of State Security, has long prioritized penetrating telco infrastructure and gathering up call record metadata. While not as damaging as directly intercepting communications, this metadata helps to identify both where a target is physically located over time and who they are making calls to. One common use for this information is to provide intelligence for breaking into high-value corporate and government networks, and another is to identify undercover law enforcement assets that may be working to out their spies. The US government has also warned that the Salt Typhoon campaign, which was active between 2019 and 2024, likely swept up the metadata of nearly every adult resident of the US as the group breached all three of the major cellular phone service providers (as well as numerous smaller and more regional ISPs).
Salt Typhoon is most famous for its prolonged campaign against the telcos, but it does target a broad range of both government and private organizations. It has also been observed breaching the US Treasury, the U.S. Army National Guard networks and House of Representatives committees as well as private critical infrastructure firms and universities in multiple countries.
