The determination suggests the hackers successfully compromised swathes of sensitive data stored directly on FBI systems, likely marking a major counterintelligence coup for China. FISMA requires agencies to tell lawmakers within seven days about any digital intrusion it has determined is “likely to result in demonstrable harm” to U.S. national security.
Cynthia Kaiser, the former deputy assistant director of the FBI’s cyber division, said she is not aware of the FBI making any such determination on a hack affecting its own systems since at least 2020.
“Thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident every year,” Kaiser said.
An FBI spokesperson declined to comment on the declaration, instead referring POLITICO to a prior comment it made on the incident in early March: “FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond.”
Under guidelines set by FISMA, an intrusion can meet the major incident threshold if it involves the exfiltration or compromise of personally identifiable data, or presents acute risks to the national security, foreign relations, public confidence or civil liberties of Americans.
It is not clear what finding triggered the FBI determination.
In the March notice to Congress viewed by POLITICO, the FBI told lawmakers that unspecified hackers appeared to break into an agency system by “leveraging a commercial Internet Service Provider’s vendor infrastructure,” which it described as a reflection of the group’s “sophisticated tactics.”
The notice also said the “affected” system contained “returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.”
Pen register and trap and trace devices allow law enforcement to monitor calls made to or from a specific phone, or websites visited by an internet-connected device. While these tools do not record the content of those communications, the information captured is valuable to foreign intelligence services or organized criminal groups because it could reveal the targets of FBI surveillance or criminal probes.
The breach of the FBI surveillance system does not appear to be connected to a recent Iranian-linked compromise of FBI Director Kash Patel’s personal emails. It is the latest sign that Chinese hackers have advanced to the point where they are consistently able to penetrate some of the country’s most sensitive national security systems.
“This incident is yet another stark reminder that the threat from sophisticated cyber adversaries like China has not gone away — in fact, it’s growing more aggressive by the day,” said Sen. Mark Warner (D-V.A.), the top Democrat on the Senate Intelligence Committee.
When an agency declares a major incident under FISMA, it is also supposed to trigger an interagency cyber response mechanism. It is unclear whether that has happened or if the hack has since been contained.
Separate spokespeople for the White House and the Cybersecurity and Infrastructure Security Agency referred to the FBI for comment. The NSA did not respond to requests for comment.
The White House hosted a meeting about the breach that included officials from the FBI, NSA and CISA in early March, according to the first U.S. official and a third U.S. official with knowledge of the meeting.
Chinese hackers have previously targeted commercial communications providers as a springboard into federal networks or to access sensitive national security data.
One Chinese hacking group dubbed Volt Typhoon has burrowed deep inside critical infrastructure across the United States — including ports, water facilities and energy substations — while a second group labeled Salt Typhoon has breached some of the country’s largest telecommunications providers. In the latter hack, first uncovered in late 2024, Chinese hackers were able to siphon off call records from millions of Americans, view FBI wiretap data and steal unencrypted communications from the phone of then-presidential candidate Donald Trump.
The first U.S. official said they believed the FBI had acted quickly to address the incident. But they noted it was “embarrassing” for the bureau to be breached by the same hackers it is supposed to be tracking.
“This is just a reminder that any unpatched vulnerability or any architectural weakness is going to be exploited by an adversary of this caliber,” said the person, referring to Chinese state hackers.
Source:
www.politico.com
