The U.S. and U.K. accused state-backed Chinese hackers of targeting politicians, companies and dissidents for years, as well as stealing troves of British voter data, in the latest revelation of cyberattacks that Washington and its allies have linked to President Xi Jinping’s government.
U.S. officials said seven Chinese nationals targeted members of Congress and officials working at the White House and agencies including the Justice Department, as well as candidates, campaign staff and U.S. companies. The hackers, part of a state-sponsored group known as APT31, have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud.
Both the U.S. and U.K. announced sanctions against two of those individuals, as well as a firm in Wuhan, China, called Wuhan Xiaoruizhi Science and Technology Co. The U.S. alleged it was a front that “has served as cover for multiple malicious cyber operations” and the hackers had worked there as contractors.
The U.K. also accused China of accessing details of some 40 million voters held by the Electoral Commission, according to Deputy Prime Minister Oliver Dowden.
The revelations Monday add to a growing list of cybersecurity breaches that the U.S. and its allies say are backed by the Chinese government as part of a broader strategic and economic competition worldwide.
New Zealand also established links between a state-sponsored actor linked to the Chinese government and malicious cyber activity targeting parliamentary activities there, Judith Collins, the minister responsible for the Government Communications Security Bureau, said Tuesday in Wellington. She said a compromise of the Parliamentary Counsel Office and the Parliamentary Service in 2021 was resolved quickly.
China disputed the claims, with a foreign ministry official in Beijing calling the U.K.’s accusations “disinformation” and a spokesman for the Chinese embassy in Washington saying in a statement that the U.S. has “jumped to an unwarranted conclusion and made groundless accusations.”
In January, the FBI said that it had dismantled infrastructure used by a Chinese state-backed group named Volt Typhoon, which targeted the U.S. power grid and pipelines. Last October, security officials from the so-called Five Eyes—the U.S., U.K., Australia, New Zealand and Canada—raised alarm about Chinese hacking and espionage in media interviews and public appearances. In 2015, security researchers suspected Beijing was behind the theft of more than 22 million U.S. security clearance records.
U.K. Prime Minister Rishi Sunak said Monday that an “increasingly assertive” China’s support for the hacks present an “epoch-defining challenge” and “the greatest state-based threat to our economic security.” The head of the U.S. Federal Bureau of Investigation, Christopher Wray, called them “continuous and brash efforts to undermine our nation’s cybersecurity and target Americans and our innovation.
Malicious emails
According to U.S. authorities, some of the hacking activity successfully compromised the targets’ networks, email accounts, cloud storage accounts and telephone call records, with some surveillance of compromised email accounts lasting years.
The hacking campaign involved more than 10,000 malicious emails sent to targets that often appeared to be from prominent news outlets or journalists and appeared to contain legitimate news articles, U.S. authorities said. The emails contained hidden tracking links that would allow information about the recipient, including their location and devices used to access email, to be transmitted to a server controlled by the defendants and others that they were working with.
That information was the used by the group to carry out more sophisticated hacking, the U.S. Justice Department said, including compromising home routers and other electronic devices.
Among the more alarming allegations, the U.S. said that the hackers began targeting email accounts belonging to several senior campaign staff members for an unnamed presidential candidate in about May 2020. By that November, the hackers had sent emails containing tracking links to targets associated with additional political campaigns, including a retired senior U.S. government national security official, according to the indictment.
U.S. companies in the defense, information technology, telecommunications, manufacturing and trade, finance, consulting, legal and research industries were targeted by the group, and the victims include a provider of 5G network equipment in the U.S., an Alabama-based research corporation in the aerospace and defense industries and a Maryland-based professional support services company, according to the U.S.
In the U.K., the National Cyber Security Centre said it’s “almost certain” APT31 conducted reconnaissance activity against British parliamentarians during a separate campaign in 2021—though no parliamentary accounts were successfully compromised.
Britain summoned the Chinese ambassador in London, and Foreign Secretary David Cameron said in a separate statement that he raised the matter directly with Chinese Foreign Minister Wang Yi.
For the U.K., the episode marks an escalation in tensions that have been growing after Hong Kong passed security legislation that the U.K. says erodes freedoms in the city, contravening the handover deal signed between the two nations when governance of the territory was transferred to Beijing in 1997.