The Federal Bureau of Investigation scrambled to respond to what it said were “suspicious activities on FBI networks” – the third significant cybersecurity incident in the past five years that it has publicly disclosed.
The breach affected a sensitive “network used to manage wiretaps and intelligence surveillance warrants” CNN first reported on March 5.
“We have leveraged all technical capabilities to respond,” the FBI told press. (As of 2024 the FBI had an annual cybersecurity budget of $122.9 million.)
The FBI breach news leaked 10 days after the Australian Cyber Security Centre revealed that a critical Cisco vulnerability had been exploited unnoticed in the wild for some three years. The vulnerability lets attackers get “root” control over SD-WAN network management systems.
That triggered all “Five Eyes” intelligence community’s key cybersecurity agencies to call for urgent threat-hunting by defenders. The vulnerability, allocated CVE-2026-20127, affects Cisco SD-WAN deployments including on-premises, Cisco-hosted, and even secure FedRAMP environments.
A later security advisory from Cisco updated on March 5 (the same day the FBI news leaked) showed that two new vulnerabilities in the same product are also being exploited in the wild; CVE-2026-20128 and CVE-2026-20122
(The Stack could not immediately confirm that the Cisco vulnerability was exploited in the FBI incident and there may be no connection, although recent disclosures by public sector organisations shortly after 0day exploitation is reported have, indeed, been related.)
The incident comes after the FBI in 2023 suggested that computer systems used in investigations of images of child sexual exploitation had been affected by a cybersecurity incident. One former FBI cyber officer, Austin Berglas, told The Stack at the time that evidence seized during investigations, like external storage devices, are “scanned for malware or malicious files prior to processing on computers with specialised forensic software used to extract information contained on the devices.”
“These forensic computers are stand alone and are not connected to any internal, classified system," he added – caveating that with the comment that “new variants of malware and malicious files find their way on to the Internet everyday, so there are instances where scans fail to identify a dangerous file prior to the CART examiner uploading to a forensic computer, but any infection would be contained to the examination network."
In 2021, meanwhile, someone exploited a software flaw in the FBI’s Law Enforcement Enterprise Portal (LEEP) to send thousands of emails appearing as if they came from the FBI. The FBI described LEEP as “a secure platform for law enforcement agencies, intelligence groups, and criminal justice entities [that] provides web-based investigative tools and analytical resources [to let] users collaborate in a secure environment, use tools to strengthen their cases, and share departmental documents.”
The actual IT infrastructure of the LEEP itself was not breached. Rather, the hacker exploited a flaw in how the portal generates and confirms new accounts for users – and the FBI played it down as a “misconfiguration.”
The link has been copied!
