Suspected Chinese breach of FBI system exposed surveillance targets’ phone numbers

A suspected China-linked breach of an FBI surveillance system likely revealed phone numbers of targets being monitored by the bureau, according to a person familiar with a recent notification of the breach sent to Congress and a second person familiar with the matter. 

On February 17, the FBI began investigating abnormal activity in an unclassified system that stores pen register and tap-and-trace surveillance data, said the people, describing a Justice Department notice transmitted to Congress earlier this week. The agency has currently identified that phone numbers were exposed, the people said.

The DOJ assessed that, under standards codified in the Federal Information Security Modernization Act, the breach was a “major incident,” and remediation efforts are ongoing, the people added.

Pen register and trap-and-trace tools let the FBI collect metadata on who a target is communicating with, though they do not capture the content of those communications. 

Access to this data could allow foreign hackers to determine who the U.S. is surveilling. Phone numbers don’t necessarily reveal the identities of individuals, but they can be used to map relationships and build networks of associates and intelligence targets.

“The FBI, part of their job is counterintelligence,” said John Fokker, head of threat intelligence at Trellix and a former official in the Dutch National Police’s High-Tech Crime Unit. “So if they’re conducting any investigations on U.S. soil against, maybe some Chinese spies … that could be interesting for a party like the Chinese or the Russians, it could be anyone, just to get an inside look. It can give them a heads up of who they need to cut ties with, or bring back, or if their asset is compromised.”

Politico first reported the details of the breach involving targets’ phone numbers and the “major incident” determination under FISMA. The Wall Street Journal reported a suspected Chinese nexus to the hack. Nextgov/FCW has not independently confirmed a definitive link to China.

“The FBI identified anomalous activity on an unclassified network and quickly leveraged all technical capabilities to remediate the incident,” an FBI spokesperson said. “It was determined the access was obtained through a third party and constitutes a major incident under the Federal Information Security Modernization Act (FISMA). The FBI is following the required steps under FISMA, including notifying Congress, and remains focused on countering nation-state and cybercriminal activity.”

“Reports that China-linked threat actors compromised sensitive FBI systems are disturbing — and are even more evidence that the Trump administration has taken its eye off the ball when it comes to defending government and critical infrastructure networks from our adversaries,” said Mississippi Rep. Bennie Thompson, the top Democrat on the House Homeland Security Committee. “From its bare bones cyber strategy to pushing cyber talent out of government, the president is ignoring pressing cyber threats and leaving our nation vulnerable. It’s time for him to focus on what’s important.” 

The development is the most recent known example of a potential foreign adversary attempting to acquire data tied to phone records collected by U.S. law enforcement.

In 2024, investigators concluded the Chinese state-backed Salt Typhoon group breached global telecom networks, including systems that facilitate “lawful intercept” requests used by law enforcement to surveil targets via court orders. It allowed them to directly target the calls of major political figures, including President Donald Trump and Vice President JD Vance when they were campaigning for the White House.

Rep. Andrew Garbarino, R-N.Y., the chairman of the House Homeland Security Committee, said the panel was in touch with the Cybersecurity and Infrastructure Security Agency about the incident.

“The PRC’s continued targeting of U.S. government systems, including through trusted third-party infrastructure as seen in the Salt Typhoon campaign, underscores the growing sophistication and persistence of these actors. CISA’s mission to work in close partnership with interagency partners and the private sector to identify and mitigate vulnerabilities before they are exploited is essential,” Garbarino said. “The fact that this intrusion took place during the ongoing DHS shutdown highlights the dangerous consequences of playing politics with our national security. The committee is actively engaged with CISA as we assess the scope and implications of this intrusion.”