The UK Electoral Commission IT systems were highly likely compromised by a Chinese state-affiliated entity between 2021 and 2022, according to the UK official National Cyber Security Centre (NCSC).
The NCSC also assesses it is almost certain that the China state-affiliated Advanced Persistent Threat Group 31 (APT31) conducted reconnaissance activity against UK parliamentarians during a separate campaign in 2021. The majority of those targeted were prominent in calling out the malign activity of China. No parliamentary accounts were successfully compromised. In a statement yesterday the UK Government called it the latest in a clear pattern of malicious cyber activity by Chinese state-affiliated organisations and individuals targeting democratic institutions and parliamentarians in the UK and beyond.
For deputy prime minister Oliver Dowden’s statement to the House of Commons yesterday about the ‘malicious cyber-activity’, visit Hansard. He told MPs that the ‘Chinese state-affiliated actors’ gained access to the Electoral Commission’s email and file-sharing systems, which contain copies of the electoral register.
Home Secretary James Cleverly said: “It is reprehensible that China sought to target our democratic institutions. China’s attempts at espionage did not give them the results they wanted and our new National Security Act has made the UK an even harder target. Our upcoming elections, at local and national level, are robust and secure. Democracy and the rule of law is paramount to the United Kingdom. Targeting our elected representatives and electoral processes will never go unchallenged.”
The UK Government added its belief that these behaviours are part of large-scale espionage campaign, and pointed to NCSC guidance on cyber security for the administering of elections. The Foreign Office summoned the Chinese Ambassador to the UK, and sanctioned a front company and two individuals who are members of APT31. The United States has acted similarly.
The Electoral Commission said that the attack was first identified in October 2022. After taking steps to remove the actor from the Commission’s systems and to improve security, the Commission notified the public in August 2023.
The Commission’s Chair, John Pullinger said: “The cyber-attack has not had an impact on the security of UK elections. The UK’s democratic processes and systems are widely dispersed and their resilience has been strengthened since the attack. Voters have, and should continue to have, high trust in the process of voting.
“The data accessed when this attack took place does not impact how people register, vote, or participate in democratic processes. It has no impact on the management of the electoral registers or on the running of elections.”
Comments
Jamie Akhtar, co-founder and CEO at CyberSmart, said: “Sadly, this isn’t likely to be the last time we discuss nation-state attacks on the UK, particularly with an election later this year. Cyber warfare and espionage between states have become a regular feature of geopolitics in the twenty-first century.
“However, it does emphasise the continuing need for the UK to continually refine its holistic cybersecurity strategy. Defence needs to go further than protection for state institutions. As we’ve seen time and again, nation-state actors will also target businesses that provide services to the government too. Without a defence strategy that incorporates every aspect of society, from small businesses to schools to state bodies, nation-state actors will keep finding new routes in.”
Adam Marrè, Chief Information Security Officer, at the cyber firm Arctic Wolf said anyone who has worked in cybersecurity for any amount of time will not be at all surprised. “China has been conducting industrial levels of cybercrime and cyber-attacks on western governments, individuals, and businesses for dozens of years. Beijing continues to see cyber as a natural extension of their statecraft and have seldom been afraid to utilise cyber techniques to further their own national interests.”
Al Lakhani, CEO of cyber firm IDEE, said: “International relations are built on good faith, mutual interests and a fair bit of give and take. But these are all completely opposed to good cybersecurity practices, which must be built on zero trust. The Government is blatantly tiptoeing around the issue, evidently paralysed by the fear of alienating global superpowers, but the result is compromised personal data and undermining confidence in electoral processes.
“To avoid these awkward situations, the Government needs to find better ways of protecting its systems and data. When it comes to something as important as national security, relying on outdated cybersecurity solutions that detect attacks, but stop short of preventing them, is nothing short of dangerous. A general election is on the horizon, and the threat of international interference is huge. So, I hope that lessons have been learnt from past breaches, that this marks a turning point in the UK’s cyber security preparedness, and that we move towards a digitally-secure future rooted in identity proofing and transitive trust.”
Stephen Robinson, Senior Threat Intelligence Analyst at software firm WithSecure, said: “Cyber operations provide nation states with the ability to (relatively) perform espionage remotely, with a certain level of deniability. Considering reporting in recent years which has alleged Chinese attempts to influence Canadian, Taiwanese, and even US elections, it likely comes as no surprise that the UK Electoral Commission compromise of 2021 is now reported to have been the work of cyber attackers working for the Chinese state. Similarly, the targeting of British politicians by a foreign power is almost certainly a known risk to domestic intelligence services. Indeed, recent reporting on the iSoon leaks has stated that organisations who were contracted to perform cyber operations for the Chinese government described the UK Foreign office and Treasury as priority targets for the Chinese government.”
And lead engineer at the cyber firm Check Point, Muhammad Yahya Patel said: “Politically, the move to attribute the Electoral Commission breach to China signals a pivotal moment in diplomatic relations. While it is important to be transparent about the potential threats to national security and the demographic process, we need to be mindful of the message this could send to other authoritarian nation states about the UK’s cybersecurity posture. I hope that the lessons learned from this incident means the UK Government will address the lack of preventative measures that could have bolstered defences against the attack. This needs to be front of mind when educating organisations and proactively addressing any gaps or vulnerabilities to prevent incidents in the future.”
