FBI Surveillance Systems the Latest Target of Security Breach by State-Backed Chinese Hackers

State-backed Chinese threat actors have once again been linked to a high-profile security breach, this time of FBI surveillance systems used for foreign intelligence interception orders.

The incident has not yet officially been made public and the investigation is reportedly in its earliest stages, so no specific APT group has been named. The tactics and objectives immediately call Salt Typhoon to mind, however, with the group similarly targeting domestic law enforcement surveillance systems when it broke into the major US mobile phone carriers.

Security breach tied to unspecified Chinese hacking group, but has familiar hallmarks

The information about the security breach comes from a memo to Congress shared by an inside source with a number of major media outlets. The memo is the only concrete piece of information thus far, but does provide an array of information including suspicions of involvement by Chinese hackers. The incident certainly looks like a typical action by Salt Typhoon, one of the leading APT groups backed directly by the Chinese Ministry of State Security. As part of its long campaign of espionage from 2019 to 2024, that group leveraged its extensive breach of US telecom companies to penetrate domestic surveillance systems used for lawful wiretaps by law enforcement agencies.

And, as with some of these prior espionage campaigns, it seems that the hackers were not looking so much for direct interception of communications but instead for metadata. This has its own value for a number of purposes, chief among them identifying what law enforcement might know about Chinese spies in the country and identifying the US’s own intelligence assets. Metadata can also be helpful in identifying targets for spearphishing and how to approach them as a trusted contact, something these groups have made use of to engage in follow-up breaches of government and corporate espionage targets.

We also know from the memo that the FBI surveillance systems were unclassified and did not give the attackers direct access to communications, but did furnish them with a lot of valuable information about who is under surveillance. The memo specifies that the hackers had access to materials such as pen register and trap and trace surveillance returns, all elements that are focused on monitoring call metadata rather than the contents of calls or text messages, and would have been able to access the personally identifiable information of some surveillance suspects.

Total scope of surveillance systems breach still not known

The memo also does include at least some information about the technical details of the security breach. The hackers are described as sophisticated and using advanced techniques, and making entry to the surveillance systems via their prior access to a vendor of a commercial internet service provider. Again, this calls to mind how Salt Typhoon usually operates.

It is unsurprising that the incident with the surveillance systems has not yet been officially reported to the public, and it may never be. A security breach at the FBI usually won’t make news unless it involves the sensitive personal information of subjects. But it does raise the question of what the “Typhoon” groups have been up to as of late, and if there still aren’t massive hacking campaigns that we are not aware of.

Government agencies are more put-upon than ever in terms of cyber defense, forced to monitor for anomalies at all times and ideally adopt the latest in real-time threat detection measures to keep up with adversaries. Some have pointed the finger at budget cuts, but there is always a high likelihood of these sorts of breaches occurring at some point due to the complexity of interlocking government systems, the value of information in them, and as of late the changeover in administration as personnel and policies are changed out and updated.