The FBI reportedly classified a China-linked effort to penetrate one of its surveillance systems this week as a “major cyber incident,” meaning it was a significant risk to U.S. national security.
The definition of a “major incident” was established by the Federal Information Security Modernization Act of 2014 (FISMA). The 2014 bill was an update to a 2002 law that created universal security standards for federal agencies, including protocols for investigating and documenting suspected cyberattacks.
The FBI notified Congress in early March that it was investigating “suspicious activities” on one of its sensitive internal computer networks, upon which the Bureau stored information related to wiretaps and other surveillance programs. The intrusion was first detected on February 17 and, by all accounts, the FBI’s cybersecurity team was able to shut it down fairly quickly.
“The affected system is unclassified and contains law enforcement sensitive information, including returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations,” the FBI said.
“Pen register” and “trap and trace” techniques allow law enforcement agencies to access certain metadata from phones belonging to people they are investigating, although they stop short of eavesdropping on phone conversations. The data collected by these techniques would be of great interest to foreign espionage agencies because it would tell them who the FBI is investigating, possibly including their own operatives in the United States.
The FBI told Congress the attackers got into their system by “leveraging infrastructure from a commercial Internet service provider,” a third-party attack strategy that has become increasingly popular with threat actors for penetrating high-security systems.
The FBI did not report any further details of the intrusion at the time, and offered no theories about who was responsible, but the sophistication of the hack led observers to suspect it was the work of a hostile state actor.
These suspicions were reinforced when the White House, National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) joined the investigation.
Also, as Politico observed when the investigation was announced, the FBI intrusion bore “some resemblance” to the massive hack of global telecommunications in 2024 that was attributed to a Chinese state cyberespionage group known as Salt Typhoon.
The Wall Street Journal (WSJ) quoted unnamed “people familiar with the matter” who said there was reason to believe “hackers affiliated with the Chinese government” were responsible for the attack, but they did not elaborate further.
Former deputy assistant director of the FBI Cyber Division Cynthia Kaiser told Politico on Wednesday that, to the best of her knowledge, the FBI has not declared a major cyber incident since 2020.
“Thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident every year,” she noted.
“This incident is yet another stark reminder that the threat from sophisticated cyber adversaries like China has not gone away — in fact, it’s growing more aggressive by the day,” warned Sen. Mark Warner (D-VA), ranking Democrat on the Senate Intelligence Committee.
“This is just a reminder that any unpatched vulnerability or any architectural weakness is going to be exploited by an adversary of this caliber,” added one of the unnamed U.S. officials who spoke to Politico.
On the bright side, the investigation of the FBI hack could reveal important information about China’s cyber-espionage activities, including strategies and techniques they would rather not have American security experts become aware of. Any information that helps to track down Salt Typhoon, which is still considered an active threat by the FBI Cyber Division, would be particularly helpful.
