The Federal Bureau of Investigation has formally classified a breach of its Digital Collection System Network - the internal infrastructure the bureau uses to manage court-authorized wiretaps and foreign intelligence surveillance - as a "major incident" under the Federal Information Security Modernization Act (FISMA). The breach, detected on February 17, 2026, exposed pen register and trap-and-trace surveillance returns along with personally identifiable information on subjects of active FBI investigations.
KEY FACTS
- WhatBreach of the FBI's Digital Collection System Network (DCS-3000/Red Hook), an unclassified system that processes pen register and trap-and-trace surveillance data for court-authorized wiretaps and FISA warrants
- WhoFederal Bureau of Investigation; subjects of active FBI surveillance operations; suspected Chinese state-sponsored hackers
- HowSupply chain compromise via a commercial ISP vendor's infrastructure, bypassing direct FBI network defenses
- DataPhone numbers of surveillance targets, pen register returns (outgoing call metadata), trap-and-trace returns (incoming call metadata), website visit logs from internet-connected devices, and personally identifiable information on subjects of FBI investigations
- ActorSuspected PRC-affiliated threat actor; investigators have focused on Salt Typhoon (also tracked as Earth Estries, GhostEmperor, FamousSparrow, RedMike, UNC2286) linked to China's Ministry of State Security. No formal attribution issued by the FBI
- ImpactCompromise of active surveillance target identities; potential exposure of FBI counterintelligence operations; FISMA "major incident" classification indicating "demonstrable harm" to U.S. national security; criminal investigation opened; cybersecurity review initiated
WHAT HAPPENED
On February 17, 2026, FBI analysts flagged abnormal log activity on the bureau's Digital Collection System Network (DSCNet), specifically the DCS-3000 component known internally as Red Hook. This unclassified system processes pen register and trap-and-trace surveillance data - court-authorized metadata collection that logs phone numbers dialed from and received by surveillance targets, along with websites visited by internet-connected devices.
The system does not capture the content of communications, but the metadata it holds reveals who the FBI is watching, when they are being watched, and who they are communicating with.
The FBI first notified Congress on March 4, 2026, that it had detected suspicious activity on an internal system storing "law enforcement sensitive information," but did not name a suspect at that time. " Investigators subsequently determined that the threat actor had exploited a commercial Internet Service Provider's vendor infrastructure to gain access - a supply chain attack that bypassed FBI's direct network perimeter defenses. The affected systems were located in the U.S. Virgin Islands, not at FBI headquarters in Washington.
" The DOJ formally notified Congress of this classification, triggering the mandatory seven-day reporting window. " Bloomberg reported that the breach prompted both a criminal investigation and a broader cybersecurity review of the bureau's networks.
The Wall Street Journal first reported the suspected Chinese nexus to the hack on March 6. Politico subsequently reported on April 1 that the FBI had formally declared the intrusion a "major cyber incident," with additional reporting from NBC News, Fox News, Bloomberg, and Nextgov/FCW filling in details about the scope and counterintelligence implications of the breach. The FBI has declined to comment beyond its initial acknowledgment.
THREAT ACTOR ANALYSIS
U.S. investigators suspect hackers affiliated with the Chinese government are responsible for the breach. Investigators have focused attention on Salt Typhoon, a PRC state-sponsored threat actor linked to China's Ministry of State Security (MSS) that has been active since at least 2019. The group is tracked across the threat intelligence community under multiple designations: Earth Estries (Trend Micro), GhostEmperor (Kaspersky), FamousSparrow (ESET), RedMike (Recorded Future), UNC2286 (Mandiant), and OPERATOR PANDA (CrowdStrike).
Salt Typhoon's operational profile aligns with the FBI breach in several respects. The group previously compromised at least nine major U.S. telecommunications providers - including AT&T, Verizon, T-Mobile, Lumen Technologies, Charter Communications, Consolidated Communications, and Windstream - between 2019 and 2024, gaining access to CALEA (Communications Assistance for Law Enforcement Act) lawful intercept systems used by law enforcement.
In that campaign, Salt Typhoon intercepted call recordings of senior U.S. politicians and obtained "virtually complete lists of all FBI wiretap targets," according to reporting by NBC News. By August 2025, the FBI acknowledged Salt Typhoon had compromised at least 200 organizations across more than 80 countries.
However, no formal technical attribution has been issued by the FBI linking Salt Typhoon - or any specific Chinese threat group - to this breach. The attack vector (exploitation of ISP vendor infrastructure) is consistent with Salt Typhoon's documented tradecraft of targeting telecommunications supply chains, but multiple PRC-affiliated groups operate with similar capabilities. China has denied responsibility for Salt Typhoon operations and all related intrusions.
WHAT WAS EXPOSED
- Phone numbers of active FBI surveillance targets - revealing who the bureau is monitoring in real time
- Pen register returns - outgoing call metadata including numbers dialed from targets' phone lines, with date and time stamps
- Trap-and-trace returns - incoming call metadata including numbers calling targets' phone lines
- Website visit logs from internet-connected devices under surveillance
- Personally identifiable information (PII) on subjects of active FBI investigations - names and identifying details tied to surveillance warrants
- Source and destination IP addresses associated with monitored communications
- Metadata revealing communication patterns, frequency, and timing of contacts between surveillance targets and their associates
- Surveillance operational data - which individuals are under active FBI monitoring, the scope of collection, and the legal authorities (pen register orders, FISA warrants) used to authorize surveillance The counterintelligence significance of this exposure cannot be overstated. As John Fokker, head of threat intelligence at Trellix and former official in the Dutch National Police's High-Tech Crime Unit, stated: the compromised data "can give them a heads up of who they need to cut ties with, or bring back, or if their asset is compromised." If Chinese intelligence services accessed this data, they could identify which of their own operatives the FBI was monitoring - and take immediate steps to burn assets, sever communication chains, or extract compromised officers.
TECHNICAL FAILURE CHAIN
The FBI's DCS-3000 system relied on connectivity through a commercial ISP vendor's infrastructure. The threat actor exploited this vendor as a pivot point into FBI networks, bypassing the bureau's direct perimeter defenses entirely. This is a textbook supply chain compromise - and it mirrors exactly how Salt Typhoon penetrated U.S. telecom CALEA systems in 2024. The FBI, having watched Salt Typhoon exploit ISP infrastructure for years, failed to harden its own dependencies on the same attack surface.
The DCS-3000/Red Hook system is classified as "unclassified" despite containing surveillance target identities, active investigation metadata, and PII of individuals under FBI monitoring. Unclassified systems receive lower security controls, less frequent auditing, and broader access than classified systems. Storing data with direct counterintelligence value on an unclassified network created an asymmetry between the sensitivity of the data and the protections applied to it.
The attacker traversed from the ISP vendor's infrastructure into FBI operational systems containing surveillance returns. This indicates insufficient segmentation between the vendor-facing network boundary and the systems processing law enforcement sensitive data. Zero-trust architecture principles - verify every connection regardless of source - were not effectively implemented on this network path.
The FBI detected "abnormal log activity" on February 17, but the actual date of initial compromise has not been disclosed. The dwell time - the period between initial access and detection - remains unknown. Given Salt Typhoon's documented dwell times of one to two years in telecom networks, the actual compromise may have predated detection by a significant margin.
The breach occurred against a backdrop of significant workforce reductions across federal cybersecurity. The FBI's proposed FY2026 budget included a $545 million cut in obligations and a loss of approximately 1,830 staff positions. CISA was projected to lose a third of its workforce. Multiple former FBI cyber division officials have departed, including Cynthia Kaiser, who left her role in the FBI's cyber division. Senator Mark Warner stated: "From Salt Typhoon to Stryker to now this reported breach at the FBI, the pattern is clear: our adversaries are probing for weaknesses, and they're finding them."
INDICATORS OF COMPROMISE
- CVE-2023-20198CVSS 10.0Cisco IOS XE privilege escalation, actively exploited by Salt Typhoon
- CVE-2023-20273Cisco IOS XE command injection, chained with
CVE-2023-20198 - CVE-2018-0171Cisco Smart Install remote code execution, exploited by Salt Typhoon in telecom campaigns MITRE ATT&CK Techniques: T1190, T1199, T1098.004, T1136, T1602.002, T1110.002, T1562.004, T1070.002, T1040, T1572, T1048.003, T1021.004 Malware: JumbledPath (S1206) - Custom Salt Typhoon tool for data archiving, infrastructure hiding, defense impairment, log clearing, and network sniffing Threat Actor Aliases: Salt Typhoon (Microsoft), Earth Estries (Trend Micro), GhostEmperor (Kaspersky), FamousSparrow (ESET), RedMike (Recorded Future), UNC2286 (Mandiant), OPERATOR PANDA (CrowdStrike) Note: No IOCs specific to the FBI breach have been publicly released. The indicators above are associated with Salt Typhoon's documented telecom campaigns. Direct technical evidence linking Salt Typhoon to this specific intrusion has not been published by the FBI or any government agency.
REGULATORY EXPOSURE
- FISMA (Federal Information Security Modernization Act of 2014)The FBI has formally classified this breach as a "major incident" under FISMA, triggering mandatory congressional notification within seven days of determination.
- Privacy Act of 1974 (5 U.S.C. 552a)The compromised system contained PII on subjects of FBI investigations stored in federal records systems.
- E-Government Act of 2002 (Section 208)Requires federal agencies to conduct privacy impact assessments for systems collecting PII.
- OMB Memorandum M-17-12 - Establishes federal breach response requirements including risk assessment, notification of affected individuals, and remediation.
- Executive Order 14028 (Improving the Nation's Cybersecurity, 2021)Mandates zero-trust architecture adoption across federal agencies and supply chain security requirements.
- CISA Binding Operational Directive 22-01 - Requires federal agencies to remediate known exploited vulnerabilities within defined timelines.
- 44 U.S.C. 3554 - Requires agency heads to provide information security protections commensurate with the risk and magnitude of harm.
- Intelligence Community Directive 503 (IC ICD 503)While the system is classified as unclassified, the surveillance target data it contains has direct intelligence value.
- Congressional Oversight - Multiple congressional committees have jurisdiction: Senate Intelligence Committee (Sen. Mark Warner, Vice Chairman), House Intelligence Committee, Senate Judiciary Committee, and House Judiciary Committee.
INTELLIGENCE GAPS
The FBI detected abnormal log activity on February 17, 2026, but the date of initial compromise has not been disclosed.
The FBI described the attack vector as "leveraging a commercial Internet Service Provider's vendor infrastructure" but has not named the provider.
While multiple sources report suspected Chinese government involvement and investigators have focused on Salt Typhoon, the FBI has not issued formal technical attribution.
The number of affected surveillance targets, the volume of metadata exfiltrated, and whether FISA warrant data was accessed have not been publicly disclosed.
It is unclear whether this FBI breach represents a continuation of Salt Typhoon's telecom campaign, a separate operation by the same group, or an unrelated intrusion.
Impact of federal workforce reductions on detection and response capability is unquantified.
The FBI stated it "leveraged all technical capabilities to remediate the incident" but has not confirmed that the threat actor has been fully expelled.
ZERO|TOLERANCE Advisory
The FBI's DCS-3000 system was compromised through a commercial ISP vendor - the same attack surface Salt Typhoon has exploited across the telecom sector since 2019.
The DCS-3000 system was designated "unclassified" despite containing data that reveals active FBI surveillance targets - information with direct counterintelligence value to foreign intelligence services.
Deploy enhanced network segmentation and microsegmentation between vendor-facing and operational systems.
Mandate comprehensive logging with behavioral analytics on all systems processing surveillance data.
The FBI's FY2026 budget proposes cutting $545 million and approximately 1,830 staff positions.
As of this writing, no IOCs, TTPs, or technical indicators specific to this breach have been shared with the broader cybersecurity community.
SOURCES
The Hill, NBC News, Fox News, Bloomberg, Politico, Nextgov/FCW, The Wall Street Journal, CNN, The Register, Malwarebytes, CyberScoop, GovInfoSecurity, Cybernews, SOFX, MITRE ATT&CK, Recorded Future, Censys, Picus Security, NJCCIC, U.S. Senate Commerce Committee, Congress.gov (CRS), FBI.gov, Wikipedia (Salt Typhoon), GreyNoise, Eclypsium, TIME