Suspected Chinese Hackers Breach FBI Network Handling Domestic Surveillance Orders

FBI Surveillance System Hit in Suspected Chinese Government Hack, Officials Say

• FBI network storing domestic surveillance orders was breached by hackers U.S. officials link to Beijing.
• Investigators have not yet quantified what data, if any, was removed or copied.
• Incident marks at least the third suspected Chinese intrusion into federal law-enforcement systems since 2020.
• Early-stage probe could shift as forensic analysts sift through audit logs.

The breach raises fears that foreign spies now have a window into secret U.S. court-approved wiretaps and location tracking.

CHINA—Federal investigators have concluded that hackers working on behalf of the Chinese government penetrated an internal Federal Bureau of Investigation computer network used to manage domestic surveillance orders, according to people directly familiar with the matter who were not authorized to speak publicly.

The intrusion, uncovered within the past two weeks, targeted a tightly controlled repository that houses documentation for court-approved electronic eavesdropping requests, physical searches, and sealed subpoenas related to national-security investigations inside the United States, the people said.

While the FBI has not yet determined whether any data was actually exfiltrated, the mere access could give Beijing a rare look at the Bureau’s most sensitive investigative methods, former officials warned.

How the Intrusion Was Detected

FBI cyber-defense teams first noticed anomalous traffic during routine log review on a classified network segment reserved for Foreign Intelligence Surveillance Act (FISA) materials, according to two people briefed on the incident. The system, isolated from the Bureau’s everyday email and case-management platforms, is accessible only to agents and analysts with top-secret clearance and a need-to-know designation.

Initial telemetry showed a credential-stuffing attempt followed by lateral movement that lasted less than 90 minutes before being cut off, one of the people said. Because the network is air-gapped from the public internet, investigators suspect the attackers either hijacked a trusted third-party update channel or used a compromised removable drive to gain an initial foothold.

Zero trust or zero tolerance?

John Hultquist, vice-president of intelligence analysis at Mandiant, told reporters last month that Chinese intruders have increasingly ‘lived-off-the-land,’ abusing legitimate administrative tools to avoid triggering endpoint alarms. ‘They don’t need to install malware if they can simply ride an admin’s session,’ Hultquist said. The FBI declined to confirm whether that technique was observed in this incident.

Forensic teams have imaged 42 servers and more than 800 user workstations tied to the affected enclave, sources said. So far, no evidence of data theft has emerged, but officials caution that audit logs on one legacy Solaris file server were incomplete because of a misconfigured retention policy.

The network in question processes roughly 1,100 new surveillance requests each month, according to the Administrative Office of the U.S. Courts. Any breach could expose not only the targets of those orders but also the technological and human sources used to satisfy probable-cause requirements.

Next, investigators will expand the hunt to classified networks at the Drug Enforcement Administration and the Bureau of Alcohol, Tobacco, Firearms and Explosives, which share FISA data with the FBI under Attorney General-approved memoranda of understanding.

Why Chinese Spies Want Surveillance Files

Accessing FBI surveillance orders gives Beijing a strategic road map of which Chinese agents, front companies, and diplomatic facilities are under U.S. scrutiny, former intelligence officials say. The Ministry of State Security (MSS) has long prioritized counter-intelligence insight to protect its own operations and to feed disinformation campaigns, according to a 2021 Department of Justice indictment against four Chinese hackers.

‘If you know which phones are tapped, you can reroute your communications; if you know which businesses are watched, you shift your procurement elsewhere,’ said Amy Zegart, a senior fellow at Stanford’s Hoover Institution. Zegart, who reviewed the FBI incident summary at the request of congressional staffers, said the value of such intelligence is ‘measured less in pages stolen than in operations quietly redirected.’

Pattern of targeting federal systems

This breach fits a broader pattern. In March 2021, the U.S. linked MSS-affiliated actors to the compromise of at least nine federal agencies via a flaw in SolarWinds software. A year earlier, the Justice Department revealed that Chinese intruders had accessed the Office of Personnel Management database, making off with 5.6 million fingerprint records.

No public estimate exists for how many FBI surveillance targets are linked to Chinese counter-intelligence, but a 2022 ODNI report submitted to Congress identified roughly 1,400 ongoing investigations into suspected Beijing-directed economic espionage inside the United States.

The latest intrusion could also reveal the Bureau’s so-called ‘two-hop’ practices—surveillance not just of a primary suspect but of every contact of that suspect—potentially exposing hundreds of incidental American citizens who were never charged with a crime.

Beijing’s embassy in Washington did not respond to emailed questions, but China’s Foreign Ministry has repeatedly denied sponsoring cyberattacks, calling such allegations ‘groundless and irresponsible.’

Still, FBI Director Christopher Wray told lawmakers last year that Chinese hacking attempts occur ‘every 12 hours on average,’ a tempo that has forced the Bureau to dedicate one-fifth of its cyber division to China-focused cases.

Is the FBI’s Classified Network Architecture Still Secure?

The Bureau’s High-Value Asset (HVA) network that was breached is supposed to meet the most stringent protections under the National Security Agency’s Commercial Solutions for Classified (CSfC) framework, including hardware-rooted disk encryption, multi-factor authentication, and mandatory ‘red-black’ separation of data flows. Yet the suspected compromise shows gaps remain, cybersecurity experts said.

‘Compliance does not equal security,’ said Suzanne Spaulding, former under-secretary of the Department of Homeland Security’s National Protection and Programs Directorate. Spaulding, who now advises the Center for Strategic and International Studies, said legacy Solaris servers can fall outside modern zero-trust monitoring tools because they lack the APIs needed for continuous telemetry.

Funding shortfalls complicate upgrades

Congress appropriated only $9.8 billion for the FBI in fiscal 2023, a 3% real-term decline after inflation. A classified Senate Intelligence briefing slide, viewed by the Wall Street Journal, shows the Bureau’s IT modernization account is $265 million short of the amount requested to replace aging HVA servers by 2025.

Without that money, the Bureau has prioritized replacing only the top 5% of its oldest systems—those more than 14 years old—leaving roughly 180 Solaris and AIX servers still online, according to the same slide.

Officials stress that no evidence has emerged indicating the attackers moved laterally into the FBI’s main Sentinel case-management system, which holds millions of investigative files. Yet the incident has triggered a department-wide review of privileged-access accounts, with 1,100 system admins now required to re-certify their credentials within 30 days.

Next, the Office of Management and Budget has ordered all federal agencies to submit within 45 days a detailed inventory of every internet-facing interface linked to classified networks, a directive that could delay several planned cloud-migration projects at the Bureau.

What Happens Next in the Investigation

The case has been folded into a broader counter-intelligence probe run out of the FBI Washington Field Office and the National Security Division at Main Justice. Agents are now comparing malware signatures, IP addresses, and command-and-control beaconing patterns against those observed in the 2021 SolarWinds follow-on intrusions attributed to the MSS-affiliated group APT41, two officials said.

Because the surveillance orders touched by the breach are authorized under FISA, any evidence derived from them could be subject to disclosure in future criminal trials. Defense attorneys have already filed motions in at least three separate espionage cases in New York and California demanding the government reveal whether the hack compromised evidence against their clients, according to federal court dockets reviewed by the Journal.

Congressional pressure builds

Senate Intelligence Committee Chairman Mark Warner (D., Va.) and Vice-Chair Marco Rubio (R., Fla.) sent a bipartisan letter to Attorney General Merrick Garland on Monday asking for a classified briefing within 14 calendar days. The lawmakers want to know whether the breach meets the threshold for a formal ‘major incident’ designation under the Federal Information Security Modernization Act, which would trigger mandatory reporting to Congress and accelerated patching timelines.

Meanwhile, the FBI’s own Inspection Division has opened an internal accountability review. One possible outcome, sources said, is a renewed push to migrate all FISA-related workflows to a segregated cloud environment run by the Intelligence Community’s Commercial Cloud Enterprise contract, a move that could cost more than $400 million over five years.

Whether the Bureau can sustain that expense remains uncertain. The Government Accountability Office last month labeled the FBI’s IT modernization plan ‘high risk’ because of funding gaps and staffing shortfalls in its 1,300-member cyber division, which currently sees an annual attrition rate of 11%.

Investigators caution that attribution can shift as more forensic data arrives, but for now the public line remains firm: Beijing-directed actors are the prime suspects in what could become the most significant breach of a U.S. domestic surveillance system since the 2001 ramp-up of intelligence powers.