Salt Typhoon, a hacking group tied to China's Ministry of State Security, spent years quietly burrowing into American telecommunications networks — AT&T, Verizon, and at least seven others — accessing the systems that carry out court-authorized wiretaps. Now it has reached the Federal Bureau of Investigation (FBI) itself. On April 1, 2026, the FBI classified a breach of its Digital Collection System Network, the internal platform managing surveillance operations under the Foreign Intelligence Surveillance Act (FISA), as a 'major incident' — the most serious cybersecurity designation available under federal law. It is the first time the bureau has made that determination about its own systems since at least 2020.
Salt Typhoon, a hacking group tied to China's Ministry of State Security, spent years quietly burrowing into American telecommunications networks — AT&T, Verizon, and at least seven others — accessing the systems that carry out court-authorized wiretaps. Now it has reached the Federal Bureau of Investigation (FBI) itself. On April 1, 2026, the FBI classified a breach of its Digital Collection System Network, the internal platform managing surveillance operations under the Foreign Intelligence Surveillance Act (FISA), as a 'major incident' — the most serious cybersecurity designation available under federal law. It is the first time the bureau has made that determination about its own systems since at least 2020.
The attackers entered through a vendor's internet service provider — a supply chain route that bypassed the FBI's perimeter defenses — and accessed metadata showing which phone numbers were under surveillance, personal details of investigation subjects, and legal process returns gathered under court orders. The breach was detected on February 17 when analysts flagged abnormal log activity, but the scope of what was taken remains under investigation. Congress was notified in early March. The intrusion means China's intelligence apparatus may now know not just who American law enforcement is watching, but how.
Why it matters
China may now know who the FBI is wiretapping and how its surveillance operations work.
Key Indicators
200+
Companies breached by Salt Typhoon globally
The FBI disclosed in August 2025 that Salt Typhoon compromised at least 200 organizations across 80 countries.
1M+
Americans whose data was directly stolen
An FBI deputy assistant director stated Salt Typhoon stole information from well over a million Americans through the telecom campaign alone.
44 days
Detection-to-classification gap
From detection on February 17 to formal 'major incident' classification on April 1 — a measure of how long assessment took.
1st since 2020
FBI self-declared major incident
A former FBI cyber division official said she is unaware of the bureau making this determination on its own systems since at least 2020.
Politico reported the FBI formally designated the intrusion as a 'major incident' under the Federal Information Security Modernization Act — the highest cybersecurity classification, triggering mandatory congressional notification within seven days.
CNN breaks news of FBI network breach; bureau confirms
Disclosure
CNN reported the breach citing an anonymous source. The FBI confirmed it the same day, stating it had 'taken the necessary steps to mitigate any potential risks.'
FBI alerts Congress to suspicious activity on surveillance network
Congressional Notification
The FBI notified congressional committees that the affected system contained law enforcement-sensitive material, including wiretap returns and personally identifiable information on investigation subjects.
FBI detects abnormal activity on its own surveillance network
Detection
FBI analysts flagged abnormal log activity on the Digital Collection System Network (DCS-3000), an internal system managing court-authorized wiretaps and FISA surveillance operations.
FBI official warns Salt Typhoon threat 'still very much ongoing'
Assessment
A top FBI cyber official told CyberTalks in Washington that Salt Typhoon continues to pose a broad threat and that the group is likely holding stolen data 'in perpetuity' for future operations.
FBI reveals Salt Typhoon breached 200+ companies across 80 countries
Disclosure
The FBI disclosed the global scope of Salt Typhoon's operations, far exceeding the initial nine U.S. telecom companies first identified.
FBI posts $10 million bounty on Salt Typhoon operatives
Law Enforcement
The FBI announced a $10 million reward for information on individuals associated with Salt Typhoon, signaling the severity of the threat.
Treasury sanctions Chinese company linked to Salt Typhoon
Sanctions
The Treasury Department sanctioned Sichuan Juxinhe Network Technology Co. for direct involvement with Salt Typhoon's operations against U.S. telecommunications and internet providers.
Treasury Department discloses its own breach
Government Response
The Treasury Department revealed Chinese state-sponsored hackers had exploited a vulnerability in BeyondTrust, a third-party remote support tool, to access Treasury systems including the Office of Foreign Assets Control. Treasury classified it as a 'major incident.'
Nine telecom companies confirmed breached
Investigation
U.S. officials disclosed that nine telecommunications companies had been compromised, including AT&T, Verizon, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. AT&T and Verizon announced they had contained the intrusions.
FBI and CISA issue joint Salt Typhoon advisory
Government Response
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) jointly confirmed the telecom breaches and issued guidance urging senior officials to use end-to-end encrypted messaging.
FISA wiretap systems confirmed compromised
Investigation
U.S. officials revealed the hackers had accessed systems used by law enforcement and intelligence agencies to carry out court-authorized surveillance, including metadata on targets associated with the 2024 presidential campaigns.
Washington Post reveals U.S. internet providers compromised
Disclosure
The Washington Post reported that at least two major American internet service providers had been breached by Chinese hackers, the first public disclosure of Salt Typhoon's campaign.
Salt Typhoon begins infiltrating U.S. telecom networks
Cyber Operation
Chinese state-sponsored hackers begin a multi-year campaign to compromise telecommunications infrastructure, targeting routers and switches at major U.S. providers.
Scenarios
1
Full scope revealed: China accessed active FISA surveillance targets
Discussed by: Cybersecurity analysts at The Register, Malwarebytes, and former FBI officials quoted across multiple outlets
The ongoing damage assessment determines that Salt Typhoon accessed not just metadata and system architecture, but records identifying active surveillance targets under FISA orders — potentially allowing Chinese intelligence to warn its own operatives and assets operating in the United States. This would represent an intelligence catastrophe on par with the 2015 Office of Personnel Management breach, forcing the FBI to re-evaluate active counterintelligence operations and potentially burn ongoing investigations.
The confirmed supply chain attack vector — entry through a vendor's internet service provider rather than a direct assault on FBI systems — leads to a broader reckoning over third-party access to sensitive law enforcement networks. Congress mandates new vendor security standards for agencies handling surveillance data, similar to how the SolarWinds breach produced Executive Order 14028 on federal cybersecurity. The FBI overhauls its supply chain security requirements.
3
Breach fuels push to reform or restrict FISA surveillance authorities
Discussed by: Civil liberties organizations, Senator Ron Wyden, and privacy advocates cited in multiple reports
Privacy advocates and some lawmakers use the breach to argue that centralized surveillance databases are inherently high-value targets that endanger the people they collect data on. The breach becomes a reference point in the next FISA reauthorization debate, with some pushing for stricter data minimization requirements or limits on how long surveillance returns are stored on networked systems.
4
Diplomatic fallout remains minimal as U.S.-China tensions absorb the incident
Discussed by: Foreign policy analysts, State Department watchers
Despite the severity of the breach, it produces no major diplomatic rupture. China denies involvement, as it has with every prior attribution. The U.S. issues additional sanctions or indictments against named individuals but takes no escalatory action, following the pattern established after the OPM breach, the telecom intrusions, and the Treasury hack. The incident becomes another data point in a normalized state of persistent cyber conflict between the two countries.
Historical Context
Office of Personnel Management breach (2015)
March 2014 – June 2015
What Happened
Chinese state-sponsored hackers penetrated the Office of Personnel Management (OPM), the agency that manages federal employee records, and exfiltrated 21.5 million personnel files including security clearance applications (SF-86 forms) containing the most intimate details of intelligence and military personnel — financial histories, foreign contacts, mental health records, and 5.6 million fingerprint records. OPM Director Katherine Archuleta resigned.
Outcome
Short Term
The U.S. government had to notify millions of current and former employees that their most sensitive personal data was in Chinese hands. It was widely described as one of the worst intelligence failures in American history.
Long Term
The breach gave Chinese intelligence a detailed map of the entire U.S. national security workforce. It accelerated federal cybersecurity reforms but produced no significant diplomatic consequences — setting the template for how the U.S. responds to Chinese cyber espionage.
Why It's Relevant Today
The OPM breach demonstrated that Chinese intelligence targets the systems that identify who works in U.S. national security. The FBI breach follows the same logic one level deeper — targeting the systems that reveal who U.S. law enforcement is actively watching.
Russian intelligence operatives (SVR / APT29) compromised the build process for SolarWinds' Orion network management software, inserting a backdoor into updates distributed to roughly 18,000 organizations. Breached federal agencies included the Treasury Department, the Department of Homeland Security, the State Department, and parts of the Department of Energy's nuclear weapons complex. FireEye (now Mandiant) discovered the breach in December 2020 after detecting the theft of its own red team tools.
Outcome
Short Term
The discovery triggered an emergency directive from CISA ordering all federal agencies to disconnect SolarWinds products. The scope of the compromise shocked even seasoned intelligence officials.
Long Term
President Biden issued Executive Order 14028 mandating zero-trust architecture, software supply chain security standards, and improved federal cyber incident response — the most significant federal cybersecurity policy change in years.
Why It's Relevant Today
The FBI breach entered through a vendor's internet service provider — the same supply chain logic that made SolarWinds devastating. Attackers bypass hardened targets by compromising their less-defended suppliers.
Microsoft Exchange / Hafnium zero-day campaign (2021)
January – March 2021
What Happened
Hafnium, a Chinese state-sponsored group, exploited four zero-day vulnerabilities in Microsoft Exchange Server (dubbed ProxyLogon) to compromise an estimated 250,000 servers worldwide. Unlike typical espionage operations, the attackers deployed web shells enabling persistent broad access, and criminal groups piled on after the vulnerabilities became public. In July 2021, the U.S. formally attributed the attack to China's Ministry of State Security — joined by NATO allies, the European Union, and others — marking a significant diplomatic escalation.
Outcome
Short Term
Mass patching campaigns, emergency CISA directives, and an unprecedented multinational attribution statement naming MSS as responsible.
Long Term
Established the precedent of coordinated Western attribution of Chinese cyber operations and demonstrated that MSS-linked groups operate with increasing boldness against global targets.
Why It's Relevant Today
Like the FBI breach, the Exchange campaign was attributed to China's Ministry of State Security — the same parent organization linked to Salt Typhoon. It showed MSS-affiliated groups scaling from targeted espionage to broad infrastructure compromise.
