Cyber Incident Victim: Federal Bureau of Investigation
Date:
Feb 2026
Location:
United States of America
Summary
Federal Bureau of Investigation concluded that a breach of its surveillance network qualifies as a major incident after investigators detected abnormal activity and determined the intrusion likely caused demonstrable harm. The bureau said the attackers used sophisticated techniques, including exploiting a commercial internet service provider’s infrastructure to bypass security controls, and that the compromised system holds law‑enforcement sensitive information such as pen register and trap and trace returns as well as personally identifiable information of investigation subjects. Separately, malicious actors targeted the director’s personal email, posting historical messages and photos that the bureau confirmed were the focus of the activity while noting the data involved no government information. The actors have been linked to Iran’s Ministry of State Security, which prompted a bounty offer, and they also claimed to have accessed the bureau’s network without offering specifics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 17 the FBI began investigating abnormal log information on an internal system that contains law‑enforcement sensitive data, including pen register and trap and trace returns and personally identifiable information pertaining to subjects of bureau investigations, after noticing suspicious cyber activity on its network. The bureau sent a notification to members of Congress describing the affected system as unclassified and noting that the observed techniques appeared sophisticated, specifically leveraging a commercial Internet Service Provider vendor’s infrastructure to bypass FBI network security controls. The notice, reviewed by Bloomberg News and Politico, stated that the FBI was still working to assess the scope and impact of the incident and had not yet identified the responsible party. On March 23 senior Justice Department officials determined that the intrusion qualified as a “major incident” under the 2014 Federal Information Security Modernization Act, a designation reserved for breaches likely to cause demonstrable harm to national security or to expose significant amounts of personally identifiable information. In response, the Justice Department initiated a working group focused on enhancing cyber resilience and improving incident‑response processes, while FBI and Justice officials conducted forensic examinations and other remedial efforts. The White House, National Security Agency and Cybersecurity and Infrastructure Security Agency were engaged to assist with the probe, as disclosed by officials familiar with the talks.
Separately, on March 27 the FBI confirmed that it was aware of malicious actors targeting the personal email of Director Kash Patel, describing the information involved as historical and containing no government data; the agency said it had taken all necessary steps to mitigate potential risks. An Iran‑linked hacking group called Handala claimed to have accessed Patel’s email and posted documents and photos, with most messages dating from 2012 to 2014 and at least one from 2022, and also asserted that it had breached an FBI network without providing specifics on what information may have been accessed. The Department of Justice tied Handala to Iran’s Ministry of State Security and announced a $10 million bounty for information about the group, while a DOJ official granted anonymity said the material posted about Patel appeared credible. Earlier in March, two senior Trump administration officials speaking anonymously told POLITICO that China was suspected to be behind the surveillance‑system breach, and the notice to Congress referenced the techniques as resembling those used by Chinese state‑linked groups such as Salt Typhoon, which had previously compromised U.S. telecommunications providers in 2024. The FBI also noted that the incident marked the second major hack to expose law‑enforcement sensitive data since President Trump returned to office, following a prior compromise of the federal judiciary’s online case‑management system.
The FBI stated that it would continue to pursue the actors responsible, support victims, and share actionable intelligence in defense of its networks, and that it had identified suspicious cyber activities and was leveraging all technical capabilities to respond. The bureau’s statement on the Patel email compromise emphasized that it had taken steps to mitigate risks associated with that activity. The Justice Department’s working group on cyber resilience was tasked with improving cyber incident‑response processes across the agency. Throughout the notifications to Congress and public statements, the FBI maintained that it had not yet determined the full scope or impact of the surveillance‑system breach but affirmed that the threat actor’s techniques identified to date appeared sophisticated. The combined response included forensic analysis, inter‑agency coordination with the White House, NSA and CISA, and efforts to strengthen cyber defenses while investigations remained ongoing.