US and UK accuse China of cyber operations targeting domestic politics
The U.S. government on Monday accused seven Chinese nationals and a company based in Wuhan of orchestrating a wide-ranging hacking operation targeting political targets in the United States, in what is Washington’s latest attempt to curb what officials describe as increasingly aggressive cyber operations carried out by Beijing.
In an indictment unsealed in the Eastern District of New York, federal prosecutors allege that the group of seven Chinese nationals conspired in a sprawling operation to breach personal devices belonging to U.S. officials, dissidents based in the United States and companies.
“The Justice Department will not tolerate efforts by the Chinese government to intimidate Americans who serve the public, silence the dissidents who are protected by American laws, or steal from American businesses,” Attorney General Merrick B. Garland said in a statement. “This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics,
In conjunction with the indictment, the U.S. Treasury Department levied sanctions against a Wuhan-based technology company, Wuhan XRZ, believed to have carried out operations on behalf of a hacking group cybersecurity firms track as APT31. The Treasury Department also sanctioned two individuals linked to the firm’s operations targeting U.S. critical infrastructure. The U.S. State Department announced a reward of up to $10 million for information on the group.
Monday’s indictment and sanctions came in conjunction with moves by officials in the United Kingdom to sanction Chinese hacking groups that targeted Britain’s election infrastructure.
The U.S. government describes Wuhan XRZ as a front company used by the Chinese Ministry of State Security to carry out espionage and other cyber operations tracked for years by researchers and governments under the APT31 moniker.
APT31 is “a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD),” the U.S. Treasury Department said in a statement published Monday.
According to the Treasury Department, APT31’s targets include high-ranking U.S. government officials and their advisers; national security staff at the White House; officials at the departments of Justice, Commerce, Treasury and State; Democratic and Republican members of Congress; staffers of political campaigns; and institutions of higher education linked to the U.S. military.
In a statement Monday, Liu Pengyu, a spokesperson for China’s embassy in Washington, said that American officials’ accusations are “extremely irresponsible” and “a complete distortion of facts.”
“Without valid evidence, the U.S. jumped to an unwarranted conclusion and made groundless accusations against China,” Liu said, adding that “China is a major victim of cyberattacks” and that “the U.S. itself is the origin and the biggest perpetrator of cyberattacks.”
Experts said Monday’s move by the Biden administration represented the latest in a string by Washington to combat China’s efforts to control speech and intimidate dissidents far beyond its borders.
“This indictment follows many others that document China’s efforts to oppress people overseas and in the U.S.,” said Dakota Cary, China-focused consultant for the cybersecurity firm SentinelOne. “It is incredibly important that the U.S. defend the liberties of people residing in the U.S. from foreign oppressions. It’s what stops the U.S. from becoming like China.”
U.K. officials also accused Chinese hackers of targeting British politics on Monday. In a speech, Deputy Prime Minister Oliver Dowden accused Chinese-linked hackers of being behind a 2021 hack of the Electoral Commission that pilfered data on 40 million registered U.K. voters and a separate campaign that same year targeting email accounts belonging to three members of the British Parliament who are critical of China.
“This is the latest of a clear pattern of hostile activity originating in China, including the targeting of democratic institutions and parliamentarians in the United Kingdom and beyond,” Dowden said.
At a press conference Monday, the targeted members of Parliament — the Conservatives, Tories Iain Duncan Smith and Tim Loughton, as well as Stewart McDonald, a member of the Scottish National Party — described the operation against them as part of a broader effort by the Chinese government to target British and Western society, and called for the U.K. government to “reset” its relations with China.
The operation against the members was attributed to APT31, while the Electoral Commission hack was attributed more generally to Chinese-linked hackers.
An assessment by Britain’s National Cyber Security Centre concluded that APT31 was “almost certainly” behind the attempted email hacks, describing them as part of Beijing’s “reconnaissance activity” and that they were blocked by Parliament’s security department. Meanwhile, the Electoral Commission hack was attributed only to “a China state-affiliated actor.”
APT31 operations have been the subject of detailed analysis by security researchers for years. Last year, for instance, Intrusion Truth, an anonymous group of researchers with a track record of publishing highly detailed information on Chinese cyber operations, reported on a series of links between specific people tied to APT31, the business fronts, and links to the Chinese government.
The Electoral Commission breach — which occurred in 2021, was initially detected in October 2022 and first disclosed in August 2023 — affected the agency’s file sharing and email systems, giving hackers access to a wealth of personal data on around 40 million registered voters in the U.K.
That information would have included the names and addresses of anyone in Great Britain who registered to vote between 2014 and 2022, Northern Ireland voters who registered to vote in 2018, and information sent to the commission through emails or the contact form on its website.
The Electoral Commission has publicly downplayed the value this kind of information would provide to malicious parties, saying in its initial announcement that much of this data is already in the public domain and that an internal risk assessment determined that “the personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals.” While the commission aggregates this data from across Great Britain, voter registration and live voter rolls are managed by local authorities.
“It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals,” the commission said last year.
Jamie MacColl, a research fellow at the Royal United Services Institute, a defense and security think tank based in London, questioned whether the data obtained would provide significant utility. MaColl described the data as “hard to exploit” and said that he was skeptical whether the operation described by U.K. officials warranted such a strong response, given that espionage targeting members of national legislatures is commonplace.
MacColl noted, however, that the incident may undermine public faith in the integrity of the attack.
Following the incident, the U.K.’s Electoral Commission acknowledged that it had failed to pass a cybersecurity audit administered by the National Cyber Security Centre.
John Pullinger, chair of the Electoral Commission, said on Monday that the hack “demonstrates the international threats facing the UK’s democratic process and its institutions” but reiterated that the agency does not believe the hack will have an impact on British elections.
“The U.K.’s democratic processes and systems are widely dispersed and their resilience has been strengthened since the attack. Voters have, and should continue to have, high trust in the process of voting,” Pullinger said.