China-Linked Breach Hit FBI Surveillance Network and Exposed Sensitive Case Data
The FBI confirmed that suspicious cyber activity targeted one of its internal surveillance networks, and officials later classified the intrusion as a "major incident" under FISMA because of the potential national security impact. Reporting indicates the affected environment included systems tied to the FBI’s Virgin Islands operations, where attackers accessed highly sensitive law-enforcement information, including pen register and trap-and-trace returns as well as personally identifiable information connected to active investigations. The bureau said it detected unusual activity in February, informed lawmakers in early March, and publicly acknowledged that the activity had been contained while the investigation continued.
Multiple reports said investigators linked the operation to China, and that the attackers appear to have reached FBI systems through a commercial internet service provider’s vendor infrastructure rather than by directly breaching the bureau first. The incident prompted a broader U.S. government response, with the White House convening officials from the FBI, NSA, and CISA and the Justice Department establishing a working group to strengthen resilience and incident response. The breach was reported as separate from another cyber matter involving the FBI director’s personal email, underscoring that the bureau was confronting several cyber threats at the same time.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
White House and DOJ launch coordinated response measures
Following the breach determination, the White House convened officials from the FBI, NSA, and CISA, and the Justice Department formed a working group to improve cyber resilience and incident response. These actions reflected a broader federal response to the intrusion.
Justice Department classifies FBI breach as a major incident
On March 23, the Justice Department determined that the FBI surveillance-system breach met the FISMA threshold for a major incident, signaling significant national security risk. The classification followed reporting that sensitive pen register, trap-and-trace, and personally identifiable information had been exposed.
FBI publicly confirms suspicious activity on surveillance network
On March 5-6, 2026, the FBI publicly acknowledged it was investigating suspicious cyber activity targeting a critical surveillance network. Multiple reports described the activity as affecting bureau systems and prompting an active investigation.
FBI informs lawmakers of suspicious cyber activity
By March 4, the FBI had notified lawmakers about suspicious activity affecting a critical surveillance network. This marked the incident's escalation from internal detection to formal congressional notification.
FBI detects unusual activity on internal surveillance system
The FBI detected unusual activity on one of its internal surveillance systems, later tied in reporting to a China-linked intrusion. The affected environment reportedly included systems in the Virgin Islands and exposed sensitive law-enforcement and investigative data.
WSJ reports China-linked hack breached telecom wiretap systems
On 2024-10-05, The Wall Street Journal reported that a China-linked intrusion affecting major U.S. broadband providers, including AT&T and Verizon, had potentially accessed systems used to submit and process court-authorized wiretap requests. The report said the attackers may also have accessed broader internet traffic and maintained access for months or longer.
FBI contains cyber incident at New York Field Office network
The FBI disclosed that it had contained a cyber incident affecting its computer network at the New York Field Office. Reporting on February 17, 2023 indicates the bureau said the incident was isolated and under control.
Sources
7 references tracked. Mallory keeps watching after this page renders.
FBI Declares Surveillance System Breach a ‘Major Incident’
techrepublic.com
Open sourceFBI confirms its networks were targeted by "suspicious" cyber activities - CBS News
cbsnews.com
Open sourceFBI investigating ‘suspicious’ cyber activities on critical surveillance network | CNN Politics
edition.cnn.com
Open sourceFBI investigating ‘suspicious’ cyber activities on critical surveillance network | CNN Politics
cnn.com
Open sourceExclusive | U.S. Wiretap Systems Targeted in China-Linked Hack - WSJ
web.archive.org
Open sourceFBI says cyber incident at New York Field Office ‘contained’ | FedScoop
fedscoop.com
Open sourceFBI says it has ‘contained’ cyber incident on bureau’s computer network | CNN Politics
cnn.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
FBI Investigates Suspected Intrusion Affecting Wiretap and Surveillance Management Systems
The **FBI confirmed it detected and remediated “suspicious activities” on its networks** and said it is using “all technical capabilities” to respond, but provided no additional details on scope, impact, or attribution. Reporting citing an anonymous source indicated the activity may have affected a **digital system used to manage and conduct surveillance**, including workflows tied to **foreign intelligence surveillance warrants, wiretaps, and pen registers** (used to trace communications metadata such as IP addresses and dialed numbers). Public reporting did not establish who was responsible or when the activity occurred, and it was **unclear whether the incident is connected** to prior compromises of U.S. lawful-intercept and surveillance-related infrastructure (including earlier reporting about **Salt Typhoon** activity targeting U.S. wiretapping systems). The incident follows a pattern of repeated targeting of U.S. government networks; the FBI has previously disclosed other intrusions and security events affecting parts of its environment, underscoring ongoing operational risk to sensitive investigative and surveillance support systems even when public details remain limited.
Apr 3, 2026
Foreign Hacker Breach of FBI New York Field Office Exposed Epstein Investigation Files
A **foreign, unidentified hacker** breached the FBI’s New York Field Office in 2023 and accessed files tied to the bureau’s investigation of **Jeffrey Epstein**, according to Reuters reporting based on a source familiar with the incident and Justice Department/court documents. The intrusion reportedly stemmed from a server at the **Child Exploitation Forensic Lab** that was inadvertently left vulnerable by an FBI special agent working the case; a court document described the actor as having “combed through” certain Epstein-related files. The FBI said it **contained the affected network**, assessed the incident as **isolated**, **restricted the actor’s access**, and **remediated** the exposed network, while noting the investigation remains ongoing. Additional reporting identified the agent as **Aaron Spivack** and cited a timeline indicating the break-in occurred on **February 12, 2023**; Reuters also reported the hacker allegedly did not realize they had accessed FBI systems until agents contacted them and requested a video call where they displayed their credentials.
Mar 21, 2026
Suspected Chinese Cyber Operations Targeted U.S. and Belgian Government Networks
Suspected Chinese hackers were linked to multiple intrusions into Western government systems, including the exploitation of the **SolarWinds** software supply-chain compromise to access the U.S. National Finance Center, a payroll agency serving several federal departments, according to Reuters sources. In a separate case, Belgian prosecutors opened an investigation into an alleged breach of the country's intelligence service, with reports indicating Chinese state-linked actors may have accessed an external email server used for communications with public prosecutors, police, ministries, and other institutions. The incidents add to a broader pattern of state-backed cyber espionage focused on sensitive government data and communications infrastructure. The U.S. case highlighted how attackers used a trusted software update channel to reach federal networks, while the Belgian probe underscored concerns that third-party systems connected to intelligence and law-enforcement bodies can become high-value entry points for foreign surveillance operations.
May 25, 2026