The Federal Bureau of Investigation (FBI) revealed Thursday that hackers breached the sensitive investigative network used to manage surveillance warrants and wiretaps, CNN reported.

Update – April 2nd: The FBI has now classified the intrusion as a “major incident” under the Federal Information Security Management Act (FISMA) and notified Congress earlier this week, according to sources who spoke to Politico.

FISMA is a US law designed to protect federal information central to the country’s economic and national security interests. It sets cybersecurity standards for federal agencies and requires them to report major security incidents to Congress.

A "major incident" designation under FISMA typically points to a serious impact on government systems, operations, or sensitive information.

“The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond,” an FBI spokesperson said in a statement sent to the outlet on Thursday.

The FBI did not name any specific threat actors, nor did it say the method used to infiltrate the network or when the intrusion may have taken place. The Politico report later said the FBI determined the intrusion was linked to China.

While the Bureau rarely publicly acknowledges breaches of its own networks, the incident involves one of the FBI’s most sensitive investigative systems.

The targeted network – known as the Digital Collection System Network – is used to manage wiretapping and foreign intelligence surveillance warrants during investigations, the media outlet reported.

Upon discovering the incident, the Bureau sought assistance from senior officials at the FBI and Justice Department responsible for civil liberties and national security, sources familiar with the investigation told CNN.

Gabrielle Hempel, Security Operations Strategist at Exabeam, says the concern here is “largely operational integrity and not necessarily data loss – at least not yet.”

FBI surveillance systems, among others, “sit at the intersection of intelligence collection, legal authorization, and operations, making them uniquely vulnerable,” Hempel explains.

“If an adversary can breach a system that manages lawful intercept workflows like this, then you start asking questions about evidence chain integrity, surveillance authorization integrity, and whether investigations themselves have been exposed or manipulated in some way,” she says.

Noting the “strict legal controls” that intelligence and surveillance systems are beholden to under the Foreign Intelligence Surveillance Act (FISA), Hempel says any major intrusion will undoubtedly “raise questions about evidence admissibility and chain of custody, causing massive ripple effects.”

Inside the FBI’s digital wiretap network

The intelligence agency’s Digital Collection System Network (DSCNet) is the FBI’s centralized platform for conducting electronic surveillance.

The Electronic Frontier Foundation (EFF) says the DSCNet software suite collects real-time audio and other signal-related intelligence from telephones, microphones, and fax lines – including dialed numbers, phone call content, text messages, and location data from cellular towers – pursuant to court-authorized warrants.

The system runs on Windows-based computers and is made up of three primary components, the EFF website states.

The most expensive component, developed at a cost of $10 million is the DCS-3000 client – otherwise known as Red Hook – which handles pen registers and trap-and-trace surveillance.

While pen registers record outgoing calls and trap-and-traces record incoming calls, Red Hook collects signaling information – primarily the numbers dialed from a telephone – but not the actual content of the communications.

This kind of metadata can reveal who the FBI is surveilling, making it highly valuable to foreign intelligence services.

Next, the DCS-6000, aka Digital Storm, captures the full content of phone calls and text messages under wiretap orders.

A third, classified system – DCS-5000 – is said to be used for national security wiretaps targeting suspected spies or terrorists.

Together, the systems play a key role in FBI counterintelligence, counterterrorism, and criminal investigations, helping analysts identify threats and support criminal prosecutions, according to data analytics site HigherGov.

Cyber leadership losses raise security concerns

In 2024, the DSCNet program maintained a $30 million budget, HigherGov reports.

Sally Vincent, Senior Threat Research Engineer at Exabeam, also notes that Thursday’s FBI breach “comes at a time when federal cybersecurity capabilities are under increasing strain.”

Vincent says many of the FBI’s top cyber leaders and senior officials have reportedly left, retired, or been fired, raising concerns about the loss of institutional knowledge.

Vincent also says FBI director Kash Patel "refuses to go into detail" regarding the agency reductions – even as the Bureau faces a proposed $500 million budget cut.

“Leadership changes, staffing reductions, and budget cuts across federal agencies – including at the nation’s Cybersecurity and Infrastructure Security Agency (CISA) – could weaken national defenses at a time when criminal and nation-state cyber activity continues to grow at an unprecedented rate,” Vincent says.

US government networks face escalating cyberattacks

In the past few years, federal officials and government agencies have been bombarded with hacking attacks, including by some of the world’s most sophisticated threat actors.

One of the more notable is the Beijing-backed espionage group Salt Typhoon – an advanced persistent threat (APT) known for its ability to disrupt key systems while remaining undetected.

And, although there has been no direct mention of the Chinese-linked threat actor being responsible for the latest hack, the Washington rumor mill is already hinting at Salt Typhoon's possible involvement.

“History suggests these moments tend to ripple,” says Ross Filipek, CISO at Corsica Technologies.

The CISO explains that “if Salt Typhoon is involved, the impact could extend beyond a single incident into a sustained counterintelligence problem.”

Referred to as the worst telecom breach in US history, Salt Typhoon launched an espionage campaign against nine US telecoms in the lead-up to the 2024 US presidential elections – including AT&T, Lumen Technologies, Verizon, and Viasat – even tapping into the email accounts of Trump and Biden campaign staffers.

That same year, Salt Typhoon was also blamed for hacking the US Treasury and the US National Guard, successfully exfiltrating reams of sensitive military and law enforcement data.

In the year-long US Treasury hack, the Chinese hackers gained unauthorized access to the laptops of senior White House officials, over 400 workstations, and subsequently, the email accounts of about 100 bank regulators.

Meanwhile, Salt Typhoon has been blamed for targeting 200 US organizations and 80 countries, with some fears remaining of ongoing telecom surveillance risks.

Filipek expects to see greater pressure on the agency to implement tighter guardrails, mandated auditing, segmentation, and hardening of lawful intercept request systems, as well as renewed momentum in telecom security rulemaking.

“We’ve seen how major government breaches, such as the one impacting the Office of Personnel Management in 2015, create long tail exposure and forced broad remediation across agencies and suppliers,” Filipek said.

---

Unlock more exclusive Cybernews content on YouTube.