FBI Classifies Salt Typhoon Breach of Wiretap Infrastructure as 'Major Cyber Incident'

The FBI has formally classified a suspected Chinese intrusion into its Digital Collection System Network (DCSNet) as a “major incident” under the Federal Information Security Modernization Act (FISMA), triggering mandatory congressional notification. The breach targeted DCS-3000 — internally known as Red Hook — the bureau’s unclassified system for managing court-authorized wiretaps, pen registers, trap-and-trace collection, and FISA surveillance requests.

This is reportedly the first time the FBI has declared a major cyber incident since 2020.

What happened

On February 17, 2026, FBI analysts flagged anomalous log activity on DCS-3000. An internal investigation confirmed unauthorized access. The bureau notified Congress on March 4 that it was investigating suspicious activity on one of its sensitive internal networks, though it initially withheld attribution details. CNN broke the story publicly on March 5.

By April 1, the FBI had escalated the classification to a FISMA major incident — a threshold that requires congressional notification within seven days and signals that sensitive data may have been substantially compromised.

How they got in

The attackers didn’t hit the FBI directly. According to the bureau’s own description, the intrusion was achieved by “leveraging a commercial Internet Service Provider’s vendor infrastructure.” This is a textbook vendor supply chain attack: compromise a trusted third-party provider to reach the actual target.

Investigators have focused on Salt Typhoon (also tracked as GhostEmperor by some vendors), a threat actor linked to China’s Ministry of State Security (MSS). Salt Typhoon has a documented history of targeting U.S. telecommunications infrastructure. Between 2019 and 2024, the group breached all three major U.S. cellular providers, siphoning call records from tens of millions of Americans and accessing lawful intercept infrastructure in the process.

The ISP vendor pivot is consistent with Salt Typhoon’s known tradecraft: rather than attacking hardened government systems head-on, the group targets the commercial infrastructure that government systems depend on.

What was exposed

DCS-3000 processes pen register and trap-and-trace surveillance data — call metadata including numbers dialed, routing information, and the identities of individuals under active FBI investigation. The FBI has confirmed that phone numbers of surveillance targets were exposed.

While DCSNet is classified as an unclassified system, the data it handles is law enforcement sensitive. Exposure of surveillance targets could compromise active investigations, endanger confidential sources, and — if Chinese intelligence was indeed behind the breach — reveal which of China’s own operatives in the U.S. are under FBI surveillance.

Why this matters for infrastructure teams

This breach is a case study in why vendor and ISP trust boundaries matter:

Third-party infrastructure is your attack surface. The FBI’s own systems weren’t directly compromised — a vendor’s ISP infrastructure was. If your wiretap system, monitoring pipeline, or any critical internal service depends on a commercial provider, that provider’s security posture is your security posture.

Unclassified doesn’t mean unimportant. DCS-3000 sits on an unclassified network, but the data flowing through it is extraordinarily sensitive. Plenty of organizations make the same mistake: putting sensitive workflows on infrastructure that gets less security attention because it isn’t in the “classified” or “production-critical” tier.

Supply chain attacks keep escalating. Salt Typhoon’s playbook — compromise the vendor, pivot to the target — is the same pattern we’ve been tracking in package registries and CI/CD pipelines. The difference is scale and stakes.

What to do

Audit vendor access paths. Map which commercial providers have network connectivity to your sensitive systems. Understand what they can reach and what lateral movement looks like from their infrastructure into yours.
Monitor for anomalous log activity. The FBI caught this through log analysis. If you’re not shipping logs from every system that touches sensitive data to a centralized SIEM with behavioral baselines, you’re flying blind.
Segment surveillance and monitoring infrastructure. Systems that handle lawful intercept, internal monitoring, or any kind of sensitive collection should be network-segmented from general-purpose infrastructure — including from the ISP uplinks they depend on.
Review FISMA and NIST 800-53 controls. If you’re in the federal space or subject to similar compliance regimes, this incident is a reminder that supply chain risk (SA-12, SR family) and continuous monitoring (CA-7) controls exist for exactly this scenario.
Track Salt Typhoon IOCs. CISA and the FBI have previously published advisories related to Salt Typhoon activity against U.S. telecom infrastructure. Review and apply any relevant indicators to your network monitoring.