For years, China’s state-backed hackers have stolen huge troves of company secrets, political intelligence, and the personal information of millions of people. On Monday, officials in the United States and United Kingdom expanded the long list of hacking allegations, claiming China is responsible for breaching the UK’s elections watchdog and accessing 40 million people’s data. The countries also issued a raft of criminal charges and sanctions against a separate Chinese group following a multiyear hacking rampage.
In August last year, the UK’s Electoral Commission revealed “hostile actors” had infiltrated its systems in August 2021 and could potentially access sensitive data for 14 months until they were booted out in October 2022. The deputy prime minister, Oliver Dowden, told lawmakers on Monday that a China state-backed actor was responsible for the attack. In addition, Dowden said, the UK’s intelligence services have determined that Chinese hacking group APT31 targeted the email accounts of politicians in 2021.
“This is the latest in a clear pattern of malicious cyber activity by Chinese state-affiliated organizations and individuals targeting democratic institutions and parliamentarians in the UK and beyond,” Dowden said in the UK’s House of Commons. The revelations were accompanied by the UK sanctioning two individuals and one company linked to APT31.
Alongside the UK’s announcement on Monday, the US Department of Justice and Department of the Treasury’s Office of Foreign Assets Control unveiled further action against APT31, also known as Violet Typhoon, Bronze Vinewood, and Judgement Panda, including charging seven Chinese nationals with the conspiracy to commit computer intrusions and wire fraud.
The DOJ claims the hacking group, which has been linked back to China’s Ministry of State Security (MSS) spy agency, has spent 14 years targeting thousands of critics, businesses, and political entities around the world in widespread espionage campaigns. This includes posing as journalists to send more than 10,000 malicious emails that tracked recipients, compromising email accounts, cloud storage accounts, telephone call records, home routers, and more. The spouses of one high-ranking White House official and those of multiple US senators were also targeted, the DOJ says.
“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from US elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” Breon Peace, a US attorney for the Eastern District of New York, said in a statement. “Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”
The moves come as countries increasingly warn of an increase in China-linked espionage, during a year when more than 100 countries will host major elections. Statements from officials focus on the impact of the hacking activity on democratic processes, including the targeting of elected officials around the world and the compromising of pro-democracy activists and lawmakers in Hong Kong. However, the disclosures also coincide with continued jostling from Western politicians over pro- or anti-China stances, including the proposed sale of TikTok to a US company, which could result in a ban on the popular app if the sale fails to go through.
As officials in the UK disclosed the details of the hacking activity, Lin Jian, a Chinese foreign ministry spokesperson, claimed it was “disinformation” and told reporters the country “opposes illegal and unilateral” sanctions. “When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues,” Jian said in a daily press conference on Monday.
“China is embarking on a huge global campaign of interference and espionage, and the UK and the like-minded nations are pretty sick of it,” says Tim Stevens, a global security lecturer and head of the cybersecurity research group at King’s College London. Stevens says the public shaming and sanctions are unlikely to significantly change China’s actions but may signal a warning to other countries about what is and isn’t deemed acceptable when it comes to international affairs.
China has a broad range of hacking groups linked to its intelligence services and military, as well as companies that it contracts to launch some cyber operations. Many of these groups have been active for more than a decade. Dakota Cary, a China-focused consultant at security firm SentinelOne, says that groups associated with China’s civilian intelligence service are largely conducting diplomatic or government intelligence collection and espionage, while China’s military hackers are behind attacks on power grids and US critical infrastructure such as water supplies. “We do see China engaging in all of those activities simultaneously,” Cary says.
In announcing criminal charges and sanctions against members of APT31, officials in the US laid out a series of hacking allegations that include the targeting of businesses, political entities, and dissidents around the world. These included a “leading provider” of 5G telecoms equipment in the US, Norwegian government officials, and people working in the aerospace and defense industries. APT31 was run by the MSS’s Hubei State Security Department in the city of Wuhan, US officials say.
The seven Chinese nationals hit with charges are Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang, and Zhao Guangzong. Both Zhao Guangzong and Ni Gaobin were also sanctioned. The two are alleged to be affiliated with Wuhan XRZ, a company that has also been sanctioned by the US and UK and is believed to be a cover for MSS-linked hacking operations. Employees of the company hacked into a Texas-based energy company in 2018, the US Treasury Department said.
The group used sophisticated malware—including Rawdoor, Trochilus, and EvilOSX—to compromise systems, according to a 27-page indictment unsealed by the DOJ. They also used a “cracked/pirated” version of penetration testing tool Cobalt Strike Beacon to compromise victims, the indictment says. It adds that, between 2010 and November 2023, the group “gained access” to a defense contractor that designed flight simulators for the US Army, Air Force, and Navy; a multi-factor authentication company; an American trade association; a steel company; a machine learning laboratory based in Virginia; and multiple research hospitals.
In its announcement, the UK outlined two separate China-linked incidents: first, the targeting of the email inboxes of 43 members of parliament (MPs) by APT31 in 2021; and second, the hack of the Electoral Commission by further unnamed China-linked hackers. Elections in the UK are decentralized and organized locally, with the commission overseeing the entire process. This setup means the integrity of the electoral process was not impacted, the commission says; however, a huge amount of data may have been taken by the hackers.
When the Electoral Commission revealed it had been compromised last year, it said the details of around 40 million people may have been accessed. The commission said names and addresses of people in Great Britain who were registered to vote between 2014 and 2022 could have been compromised, and that file-sharing and email systems could have been made accessible. “It’s really remarkable that China would go after election oversight systems, particularly given the diplomacy that the PRC [People’s Republic of China] is trying to pull off with the EU,” Cary says. “It’s a very significant act for the PRC to go after these types of systems,” Cary says. “It’s something that democracies are really sensitive to.”
While nations have called out China’s hacking activities for years, the country has evolved its tactics and techniques to become harder to detect. “Over the past couple of years, tired of having their operations rumbled and publicly outed, the Chinese have placed a growing emphasis on stealthy tradecraft in cyber espionage attacks,” Don Smith, vice president of threat intelligence at security firm Secureworks’ counter-threat unit, said in a statement. “This is a change in MO from its previous ‘smash and grab’ reputation but it is viewed by the Chinese as a necessary evolution to one, make it harder to get caught and two, make it nearly impossible to attribute an attack to them.”
