Chinese Entity Responsible For Cyber Attacks: What It Means For Private Sector Security

Yesterday, Deputy Prime Minister Oliver Dowden addressed Parliament regarding the 2021 cyber attacks on the Electoral Commission, which compromised the personal data of millions of UK voters. Despite this revelation surfacing only towards the end of last year, it took several additional months to reach the point where blame could be assigned.

Although speculation had hinted at China’s involvement in the attacks, it has been officially confirmed today. Chinese state-affiliated entities have been identified as responsible for the breach of voter data from the Electoral Commission, alongside other digital offences targeting various private sectors.

This development raises significant questions about UK-China relations, which not long ago seemed poised to enter a “Golden Age”, as well as underscoring the broader concerns about the state of broader private sector security.

“malicious cyber campaigns”

In a newly issued press release, the UK government has publicly identified Chinese state-affiliated entities and individuals responsible for two “malicious cyber campaigns targeting democratic institutions and parliamentarians.”

According to findings from the National Cyber Security Centre (NCSC), a division of GCHQ, there is strong evidence suggesting the involvement of a Chinese state-affiliated entity in the cyber attack on the UK Electoral Commission system between 2021 and 2022. Additionally, the NCSC asserts with high confidence that the Advanced Persistent Threat Group 31 (APT31), linked to the Chinese state, conducted reconnaissance operations targeting UK parliamentarians in a separate campaign in 2021.

The 2021 parliamentary campaign was primarily aimed at individuals vocal in condemning China’s malign activities. Notably, this likely includes members such as former Conservative leader Sir Iain Duncan Smith, former minister Tim Loughton, and SNP’s Stewart McDonald, who are part of the Inter-Parliamentary Alliance on China, known for scrutinizing and frequently criticizing Beijing’s actions.

Despite these targeted efforts, it appears that no parliamentary accounts were successfully compromised.

The UK’s Response: A Little Too Late?

The UK government has proceeded to call this “a clear pattern of malicious cyber activity by Chinese state-affiliated organisations and individuals targeting democratic institutions and parliamentarians in the UK and beyond.”

In response to the events, the Foreign, Commonwealth and Development Office has today summoned the Chinese Ambassador to the UK and sanctioned a front company and 2 individuals who are members of APT31.

Foreign Secretary Lord Cameron said: “It is completely unacceptable that China state-affiliated organisations and individuals have targeted our democratic institutions and political processes. While these attempts to interfere with UK democracy have not been successful, we will remain vigilant and resilient to the threats we face.”

Despite assertions from Lord Cameron and Mr Dowden that “the UK will not tolerate malicious cyber activities aimed at our democratic institutions,” is this show of bravado all a little too late? Questions must arise over whether this display of resolve against the Eastern superpower should have been made a priority sooner.

Mr Loughton has emphasised that the government has long failed to take the “strategic threat” from China seriously, emphasising the need for significant sanctions against senior Chinese officials due to ongoing issues such as the aforementioned cyber attacks.

Jamie Moles, Technical Manager at ExtraHop, echoed similar sentiments in a comment to TechRound: “The breach must act as a wake-up call for the entire UK. State-sponsored attacks are on the rise, and critical infrastructure is a prime target.”

Private Sector Security Concerns

Despite the UK government’s emphasis on severing ties with China, including the rejection or reduction of Chinese infrastructure, in defence of British safety, doubts persist regarding the extent to which the UK will act and whether our private sector and infrastructure are truly secure.

After all, in response to the government’s pledge to reduce Chinese infrastructure, Energy Minister Andrew Bowie has insisted that the government maintains a “pragmatic relationship” with Beijing, citing reports of China’s EVE Energy planning to invest in a battery plant in the West Midlands.

This not only leads to serious concerns about the safety of UK infrastructure but, having endured numerous successful cyber attacks in recent years, can it really be said that the state of our private sector is any more secure?

John Hultquist, Chief Analyst, Mandiant Intelligence at Google Cloud, tells TechRound: “The private sector remains a major target for cyber espionage, which is ironically often carried out by private sector contractors working for intelligence services. The makers of healthcare, defence, and chip technology are of special interest to these actors, and there’s little doubt this information will be used to undermine these companies in the market.

“We are no longer in the era of brazen, loud intrusions against wide swaths of the economy. The activity we see now is far more narrowly focused and far better than it once was. Chinese cyber espionage is stealthier and more advanced than before. They have invested in better tactics, and those investments are paying off.”

As such, even if the UK now begins to prioritise building resilience against these threats, it’s important to note that, as pointed out by Mr Hultquist, so too will China’s attempts at espionage, which will continue to adapt and persist.

Nevertheless, with global allies supporting the UK against what it terms a “large-scale espionage campaign,” the UK is still positioning itself as a leader among democratic institutions, steadfastly denouncing unacceptable cyber attacks.

Strengthening its defences against such incidents, initiatives like the Defending Democracy Taskforce and the National Security Act 2023 equip government bodies, Parliament, security services, and law enforcement agencies with the necessary tools to combat hostile activities. While this all sounds promising, ultimately, the efficacy of these measures in safeguarding the UK’s private sector and its citizens remains to be seen, so we must wait with bated breath to see how events unfold.