Sikov - stock.adobe.com

Chinese APT suspected of Ministry of Defence hack

A cyber attack on the Ministry of Defence is suspected to be the work of threat actors working on behalf of Chinese intelligence

An undisclosed advanced persistent threat (APT) actor possibly backed by the Chinese government is suspected of involvement in a serious supply chain data breach at the UK’s Ministry of Defence (MoD), but the UK has declined to formally attribute the cyber attack stating national security concerns.

The cyber attack, which was first widely reported on the evening of Monday 6 May after details of the incident were prematurely leaked, targeted MoD employees, including serving members of the armed forces and veterans, via an attack on a payroll system supplier identified as Shared Services Connected Ltd (SSCL).

The data exposed in the attack includes an estimated 270,000 data points, mainly names and banking details, but has not affected any other MoD systems, nor impacted the payment of salaries.

“In recent days, the Ministry of Defence has identified indications that the malign actor gained access to part of the armed forces payment network,” defence secretary Grant Shapps told the House of Commons in a statement on the afternoon of 7 May.

“This is an external system completely separate to the MoD’s network, and is not connected to the main military HR system. ... It is operated by a contractor and there is evidence of potential failings by them, which may have made it easier for the malign actor to gain entry. A specialist security review of the contractor and their operations is underway and appropriate steps will be taken.

“For reasons of national security, we can’t release further details of the suspected cyber activity behind this incident. However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor and we cannot rule out state involvement,” he said.

Shapps went on to outline an eight-point plan of action that is already in train, with the affected systems taken offline as a precaution, an investigation including third-party experts underway, and affected personnel being informed and supported appropriately through their chain of command. This will include the provision of personal data protection services.

Shapps stressed that the number of individuals affected was low and there was no evidence to suggest data had been stolen.

Link to China unclear

Although no formal attribution has been made to any Chinese APT, the Chinese government has already moved to angrily reject any accusations that its intelligence agencies were behind the latest incident, which comes in the wake of other large-scale breaches of UK government entities and officials – such as that of the Electoral Commission – linked to China, over which multiple individuals have been sanctioned, both in the UK and the US.

Speaking to Computer Weekly earlier today, former NCSC chief Ciaran Martin said that while the attack on the MoD bore the hallmarks of nation-state espionage, the possibility of a nation-state’s involvement in cyber espionage was not unexpected and the UK government’s reaction sometimes risked making it hard to see the wood for the trees.

“I’m sitting in a country that for the second time in a month is getting very exercised about Chinese espionage against government, once in Parliament, the other now in defence, which is serious, it’s unwelcome, it’s damaging. But at the same time, there’s no serious proposal anywhere that spying on governments, especially defence or foreign ministries, is beyond the pale. It is a widespread activity,” he said.

Martin explained that in terms of general public discourse, the prevailing narrative has become one of ongoing Chinese cyber espionage against Parliament and the government, but he pointed out that espionage long pre-dates the digital world and is to be expected, while there are other facets to malign Chinese cyber activity more worthy of urgent attention.

“We’re absolutely missing the fact that the US has warned that there is the equivalent of digital explosives under quite a lot of critical infrastructure that can’t kill people, but could cripple the administration of aviation, the administration of healthcare, the administration of all sorts of critical services,” said Martin. “That, to me, is a much, much more important thing to focus national effort on.”

Whatever its provenance, the incident is clearly a serious supply chain breach, with lessons for all organisations.

“Cyber attacks on third-party suppliers continue to highlight the threat that vulnerabilities in the supply chain pose to UK organisations,” said Philip Tansley, a security lawyer at Osborne Clarke.

“Every large organisation – including government departments – will outsource some operations to third-party suppliers. This is not itself a bad thing but, as the process of outsourcing becomes increasingly complex and digitised and those suppliers outsource functions themselves, it is becoming increasingly difficult to monitor and manage the risks that a weak link in the supply chain poses.

“Proper oversight and understanding of where vulnerabilities exist by organisations is vital to enable them to manage and allocate risk appropriately and comply with contractual and regulatory obligations,” he said.

This article was updated at 4pm on Wednesday 8 May to reflect the involvement of SSCL.

Read more about Chinese cyber activity

  • Microsoft researchers have identified a growing pattern of AI-laced misinformation and political interference coming from Chinese threat actors.
  • A panel of experts at RSA Conference 2024 discussed Volt Typhoon and warned the Chinese nation-state threat group is still targeting and compromising US organisations.
  • As the UK and US governments announce sanctions and indictments of a Chinese state threat actor, the NCSC has reiterated its security advice for individuals at risk of being targeted for espionage purposes.

Read more on Data breach incident management and recovery