Salt Typhoon campaign reaches the bureau that investigates it, exposing wiretap data and subjects of active investigations
April 1st, 2026: FBI classifies breach as FISMA 'major incident'New here? Follow stories to track developments over time. Create a free account to get updates when stories you care about change.
Salt Typhoon, a hacking group tied to China's Ministry of State Security, spent years quietly burrowing into American telecommunications networks — AT&T, Verizon, and at least seven others — accessing the systems that carry out court-authorized wiretaps. Now it has reached the Federal Bureau of Investigation (FBI) itself. On April 1, 2026, the FBI classified a breach of its Digital Collection System Network, the internal platform managing surveillance operations under the Foreign Intelligence Surveillance Act (FISA), as a 'major incident' — the most serious cybersecurity designation available under federal law. It is the first time the bureau has made that determination about its own systems since at least 2020.
The attackers entered through a vendor's internet service provider — a supply chain route that bypassed the FBI's perimeter defenses — and accessed metadata showing which phone numbers were under surveillance, personal details of investigation subjects, and legal process returns gathered under court orders. The breach was detected on February 17 when analysts flagged abnormal log activity, but the scope of what was taken remains under investigation. Congress was notified in early March. The intrusion means China's intelligence apparatus may now know not just who American law enforcement is watching, but how.
Why it matters
China may now know who the FBI is wiretapping and how its surveillance operations work.
Five Chinese Military Hackers Charged with Cyber Espionage ...
A group of hackers wearing Guy Fawkes masks work on computers indoors, symbolizing cybersecurity threats.
Surveillance camera focusing on security with American flag backdrop.
FBI Announces Joint Cybersecurity Advisory Related to Salt ...
FBI – Federal Bureau of Investigation
FBI's Cynthia Kaiser on Salt Typhoon's 'indiscriminate' data ...
CyberScoop
Justice Department begins crackdown on Chinese hacking ...
CBS Evening News
Images from Openverse under Creative Commons licenses. Videos from YouTube.
Curated perspectives — historical figures and your fellow readers.
Fictional AI pastiche — not real quote.
"The surveillance state, we were assured, would keep us safe from those who wished to watch us — and so it turns out the watchers have themselves been watched, their lists of suspects now a gift to a foreign power, their apparatus of control neatly photographed and filed away in Beijing."
Exploring all sides of a story is often best achieved with Play.
Your progress in this debate will be lost.
Choose one persona for each side of the debate
Choose personas with different perspectives for a more dynamic debate.
Select debater for this side:
No debate personas available right now.
Select debater for this side:
No debate personas available right now.
Make your prediction before the referee scores
Pick the question both personas must answer in the final round
Debate Oracle! You called every round!
Sharp Instincts! You know your debaters!
The Coin Flip Strategist! Perfectly balanced!
The Contrarian! Bold predictions!
Inverse Genius! Try betting the opposite next time!
A Chinese state-sponsored hacking group that has compromised telecommunications infrastructure and government networks across at least 80 countries since 2022.
The FBI is simultaneously the primary U.S. agency investigating Salt Typhoon and now a confirmed victim of the group's operations.
A Sichuan-based company sanctioned by the U.S. Treasury for direct involvement with Salt Typhoon's operations against American telecommunications and internet service providers.
January 2022 April 2026
Politico reported the FBI formally designated the intrusion as a 'major incident' under the Federal Information Security Modernization Act — the highest cybersecurity classification, triggering mandatory congressional notification within seven days.
CNN reported the breach citing an anonymous source. The FBI confirmed it the same day, stating it had 'taken the necessary steps to mitigate any potential risks.'
The FBI notified congressional committees that the affected system contained law enforcement-sensitive material, including wiretap returns and personally identifiable information on investigation subjects.
FBI analysts flagged abnormal log activity on the Digital Collection System Network (DCS-3000), an internal system managing court-authorized wiretaps and FISA surveillance operations.
A top FBI cyber official told CyberTalks in Washington that Salt Typhoon continues to pose a broad threat and that the group is likely holding stolen data 'in perpetuity' for future operations.
The FBI disclosed the global scope of Salt Typhoon's operations, far exceeding the initial nine U.S. telecom companies first identified.
The FBI announced a $10 million reward for information on individuals associated with Salt Typhoon, signaling the severity of the threat.
The Treasury Department sanctioned Sichuan Juxinhe Network Technology Co. for direct involvement with Salt Typhoon's operations against U.S. telecommunications and internet providers.
The Treasury Department revealed Chinese state-sponsored hackers had exploited a vulnerability in BeyondTrust, a third-party remote support tool, to access Treasury systems including the Office of Foreign Assets Control. Treasury classified it as a 'major incident.'
U.S. officials disclosed that nine telecommunications companies had been compromised, including AT&T, Verizon, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. AT&T and Verizon announced they had contained the intrusions.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) jointly confirmed the telecom breaches and issued guidance urging senior officials to use end-to-end encrypted messaging.
U.S. officials revealed the hackers had accessed systems used by law enforcement and intelligence agencies to carry out court-authorized surveillance, including metadata on targets associated with the 2024 presidential campaigns.
The Washington Post reported that at least two major American internet service providers had been breached by Chinese hackers, the first public disclosure of Salt Typhoon's campaign.
Chinese state-sponsored hackers begin a multi-year campaign to compromise telecommunications infrastructure, targeting routers and switches at major U.S. providers.
3 moments from history that rhyme with this story — and how they unfolded.
Chinese state-sponsored hackers penetrated the Office of Personnel Management (OPM), the agency that manages federal employee records, and exfiltrated 21.5 million personnel files including security clearance applications (SF-86 forms) containing the most intimate details of intelligence and military personnel — financial histories, foreign contacts, mental health records, and 5.6 million fingerprint records. OPM Director Katherine Archuleta resigned.
The U.S. government had to notify millions of current and former employees that their most sensitive personal data was in Chinese hands. It was widely described as one of the worst intelligence failures in American history.
The breach gave Chinese intelligence a detailed map of the entire U.S. national security workforce. It accelerated federal cybersecurity reforms but produced no significant diplomatic consequences — setting the template for how the U.S. responds to Chinese cyber espionage.
The OPM breach demonstrated that Chinese intelligence targets the systems that identify who works in U.S. national security. The FBI breach follows the same logic one level deeper — targeting the systems that reveal who U.S. law enforcement is actively watching.
Russian intelligence operatives (SVR / APT29) compromised the build process for SolarWinds' Orion network management software, inserting a backdoor into updates distributed to roughly 18,000 organizations. Breached federal agencies included the Treasury Department, the Department of Homeland Security, the State Department, and parts of the Department of Energy's nuclear weapons complex. FireEye (now Mandiant) discovered the breach in December 2020 after detecting the theft of its own red team tools.
The discovery triggered an emergency directive from CISA ordering all federal agencies to disconnect SolarWinds products. The scope of the compromise shocked even seasoned intelligence officials.
President Biden issued Executive Order 14028 mandating zero-trust architecture, software supply chain security standards, and improved federal cyber incident response — the most significant federal cybersecurity policy change in years.
The FBI breach entered through a vendor's internet service provider — the same supply chain logic that made SolarWinds devastating. Attackers bypass hardened targets by compromising their less-defended suppliers.
Hafnium, a Chinese state-sponsored group, exploited four zero-day vulnerabilities in Microsoft Exchange Server (dubbed ProxyLogon) to compromise an estimated 250,000 servers worldwide. Unlike typical espionage operations, the attackers deployed web shells enabling persistent broad access, and criminal groups piled on after the vulnerabilities became public. In July 2021, the U.S. formally attributed the attack to China's Ministry of State Security — joined by NATO allies, the European Union, and others — marking a significant diplomatic escalation.
Mass patching campaigns, emergency CISA directives, and an unprecedented multinational attribution statement naming MSS as responsible.
Established the precedent of coordinated Western attribution of Chinese cyber operations and demonstrated that MSS-linked groups operate with increasing boldness against global targets.
Like the FBI breach, the Exchange campaign was attributed to China's Ministry of State Security — the same parent organization linked to Salt Typhoon. It showed MSS-affiliated groups scaling from targeted espionage to broad infrastructure compromise.