How far do the attacks go?
Tuesday briefing: Why the US and UK are going public with warnings about Chinese hacking | The Guardian

Support the Guardian

Fund independent journalism with £5 per month

First Edition - The Guardian
Attacks like the one China is accused of are ‘pretty routine’.
26/03/2024
Tuesday briefing:

Why the US and UK are going public with warnings about Chinese hacking

Archie Bland Archie Bland
 

Good morning. You’re probably not an MP or peer on the Inter-parliamentary Alliance on China (Ipac), so that part of yesterday’s cyber-attack revelations needn’t concern you excessively. If you are among the 40 million UK voters included on a register held by the Electoral Commission, though, I have bad news: the Chinese government has your personal details.

Yesterday afternoon, deputy prime minister Oliver Dowden laid out sanctions in response to the attacks – in the case of the Electoral Commission hack, more than three years after it happened. In co-ordinated announcements, the US announced sanctions over a years-long campaign involving 10,000 malicious emails sent to politicians, journalists and businesses, and New Zealand said it had raised concerns with Beijing over an attack on its parliament in 2021.

Taken together, the announcements represent an attempt to raise the alarm globally about the sheer scale of Chinese hacking – but Beijing is unlikely to be cowed. For today’s newsletter, I spoke to Jamie MacColl, a research fellow in cybersecurity at the Royal United Services Institute (Rusi), about whether these are isolated incidents, or the tip of a digital iceberg. Here are the headlines.

Five big stories

1

Israel-Gaza war | The UN security council has voted to demand an immediate ceasefire in Gaza for the first time after the US dropped a threat to veto, bringing Israel to near total isolation on the world stage. Benjamin Netanyahu cancelled a planned White House visit by two ministers, while the Palestinian envoy to the UN, Riyad Mansour, called the result a belated “vote for humanity to prevail”.

2

US news | A New York court has handed Donald Trump a lifeline, reducing his $454m bond to $175m over the judgment against him in a huge fraud case. Separately, the judge overseeing the hush-money case against Trump involving the adult film star Stormy Daniels refused to delay the trial, setting a date for jury selection of 15 April.

3

Garrick club | At least four senior judges, Sir Keith Lindblom, Sir Nicholas Cusworth, Sir Nicholas Lavender and Sir Ian Dove, have resigned from the men-only Garrick Club, the Judicial Office has said, as men in the legal profession come under increasing pressure over their close association with an organisation that has repeatedly blocked attempts to allow women to join.

4

US news | Federal agents have raided properties in Los Angeles, Miami and New York that local news outlets have reported are tied to rapper and mogul Sean “Diddy” Combs. US media reported that the searches were part of a sex trafficking investigation, though the exact reason for the raids remained unclear.

5

Conservatives | Rishi Sunak is to face another tricky byelection after former Conservative backbencher Scott Benton resigned before the conclusion of a recall petition among his constituents. The Blackpool South MP was facing likely ejection from the Commons after being suspended for 35 days over his role in a lobbying scandal.

In depth: ‘They don’t care that much about being caught’

The National Cyber Crime Security centre in London.

Both the US and UK have blamed a Chinese state-backed group they call Advanced Persistent Threat 31 (APT 31). New Zealand blamed a separate group, APT 40. While the UK’s decision to point the finger at China has grabbed headlines, the truth about attacks like the ones described by Oliver Dowden yesterday is that they are “pretty routine”, said Jamie MacColl.

“We know that China, North Korea, Russia and Iran [sometimes known as the ‘big four’ cyber threats] are regularly called out,” he said. “There’s less public information or reporting about similar activities from Five Eyes [the anglophone intelligence alliance between the UK, the US, Canada, Australia and New Zealand] – but that may be because we’re better at it, or care more about being caught, or don’t get identified by US and UK cybersecurity companies because of their relationships. It’s what you would expect powerful states to be doing to one another in cyberspace.”

In a sense, though, the routine nature of some of this is part of what makes it ominous. “Interference in politics or democratic processes is always a very serious cyber threat,” MacColl said. “Even if we know what’s happened, we don’t know how it is intended to be used.”


The Electoral Commission hack

The attack on the Electoral Commission was carried out in August 2021, discovered in October 2022, and only publicly acknowledged in August 2023. Without specifying who was responsible, the Electoral Commission said hackers had gained access to copies of electoral registers with the names and addresses of anyone registered to vote in the UK between 2014 and 2022.

Many commentators surmised that Russia was likely behind the incident; in fact, Oliver Dowden said yesterday, “these actions demonstrate a clear and persistent pattern of behaviour that signals hostile intent from China”. The Electoral Commission hack fits with China’s modus operandi for some years, MacColl said. “We’ve seen China targeting very large datasets of information on individuals before,” he said, pointing to a hack of the US Office of Personnel Management in 2015. “There have been similar operations against airlines and insurers.”

It’s unlikely that the hack would have been carried out to obtain the details of specific people, MacColl said. “If you want to target a high-profile individual, there are easier ways than sorting through 40m lines on Excel. But it is possible that these datasets are being obtained for some future use, potentially highly individualised disinformation operations. I don’t think we’re there yet, but it may be that in 10 years, with much better machine learning, it’ll be possible to process this information in much more powerful ways.”

As evidence for China’s interest in that area, he points to a recent leak from iSoon, a private company headquartered in Shanghai that sells its services to the Chinese government. “Their business critical services were less about the offensive side and more about processing these very large datasets so they can then be exploited.” That same iSoon leak appears to show staff at the company discussing potential attacks on thinktank Chatham House and the NGO Human Rights Watch, as well as the Home Office and Foreign Office.


The attack on MPs and peers

As well as the Electoral Commission hack, China was also accused yesterday of targeting a group of MPs and peers who are members of Ipac – with the four named politicians all vocal critics of China. One of the MPs, Iain Duncan Smith, said at a press conference yesterday that “the west has to wake up to the fact this is a challenge to the very way that we live our lives”.

A video grab of deputy prime minister Oliver Dowden on Monday making a statement about Chinese cyber-attacks.

Like the US hack, the politicians’ email accounts are believed to have been targeted through “spear phishing” – emails that attempt to extract passwords and other sensitive information from targets by appearing to come from an authoritative or trusted source.

The US said that the phishing emails contained hidden tracking links which would then send information including the recipient’s location, device and IP to a server controlled by the hackers – which then enabled more targeted follow-up attacks. The UK said that no parliamentary accounts were successfully compromised.

While any cyber-attack on an elected official is a problem, it is also “much less significant than targeting the electoral roll, because it isn’t a large-scale way of interfering in democratic processes”, MacColl said. “Targeting individuals in this way falls into the category of fairly routine political intelligence that we would expect a state competing with us to be attempting.”


The UK’s defences

Yesterday, Rishi Sunak said that the UK’s National Cyber Security Centre (NTSC) is “world leading”. “It’s true that the UK is very good at cyber,” MacColl said. “But I would characterise it as ‘capable but constrained’ – cybercrime, counter-terrorism, and the war in Ukraine will have eaten up a lot of focus over the last two years.”

He also noted that the private sector is now “able to respond in a way that far outweighs what the UK – or even the US – government can do. It’s no coincidence that when a government department or a council gets hit, it’s not the NTSC that does the legwork of fixing it.”

To identify the culprit in these kinds of cases, “there will be forensic indicators from things like logs on servers – they will hope to assess those against known examples from different state actors”, MacColl said. Cautioning that he is simplifying considerably, he added: “They might have an IP address that will have been masked in different ways, and which they will try to trace – some have been linked to specific cities or even buildings in China in the past.”


The political response

China has dismissed the allegations as “malicious slander”. But both the US and UK announced sanctions yesterday against two individuals, Zhao Guangzong and Ni Gaobin, affiliated with a tech company which the US says is a front for the Chinese ministry of state security. They will face travel bans and an asset freeze.

There have been criticisms over the pace of the UK’s response, given that more than three years have elapsed since the attack. The move to attribute these cases is likely to be political as much as technical, MacColl said: “It would not be happening without the broader strategic context of terrible relations between the UK and the US and China.”

The measures met with some criticism for being inadequate to the scale of the threat – with one of the targeted MPs, the SNP’s Stewart McDonald, accusing ministers of “turning up at a gun fight with a wooden spoon”.

They do signal a growing willingness to go public with warnings about Chinese hacking – and greater co-operation between western nations in response. But the sanctions do not appear likely to slow the pace of the Chinese hacking effort.

One measure of that is “the fact that the evidence from some of these cases is that they don’t care that much about being caught, or being named by a foreign government”, MacColl said. To quote a message in the recent iSoon leak, founder Wu Haibo’s response to being asked whether the company was being watched by the US: “Not bothered. It was a matter of sooner or later anyway.”

What else we’ve been reading

Jasmin Paris.
  • Last week, Jasmin Paris (above) became the first woman to complete the Barkley Marathons – a gruelling 100-mile course that involves climbing the equivalent of two Mount Everests in less than 60 hours. She had no sleep except one three-minute power nap, which left her hallucinating ominous figures in black macintoshes. Sean Ingle has a remarkable interview, which I really enjoyed reading in bed. Archie

  • In an essay about failing memory, Charan Ranganath tries to answer the question I am always asking myself: why am I so forgetful? Nimo

  • Maternity wards are miraculous places – but across England, they are in crisis, leaving some parents who should be experiencing the happiest days of their lives instead going through the very worst. Sirin Kale’s investigation tells the devastating story of the short life of Norah Bassett, and the failings it revealed in the system. Archie

  • Jessica Glenza’s report on the US supreme court case taking on the abortion pill Mifepristone is a great primer on the potential fallout for drug regulation in the US. Nimo

  • Emma Beddington lays out her theory on why English midlifers are among the loneliest in Europe. Nimo

Sport

Katie Boulter.

Tennis | An excellent week in Florida for British No 1 Katie Boulter (above) ended as she was defeated 7-5, 6-1 in the fourth round of the Miami Open by Victoria Azarenka. Andy Murray will be out for an “extended period” after rupturing his ankle ligaments during his third-round defeat, an injury that could complicate his hopes of one final Wimbledon before retirement.

Cyprus confidential | Marina Granovskaia, the former chief executive of Chelsea who was once described as “the most powerful woman in football”, is facing questions about what she knew of secret payments made under the club’s former owner Roman Abramovich, amid an ongoing investigation into alleged breaches of football spending rules.

Football | Declan Rice has said Arsenal’s ­England contingent will try to persuade Ben White to rethink his refusal to play for his country. Rice, who will captain England against Belgium on Tuesday, praised the versatility of his club teammate, who has not played for England since 2022.

The front pages

Guardian front page, Monday 26 March 2024

The lead story in the Guardian today is “Israel isolated after UN security council demands Gaza ceasefire”. Also on our front: “MPs urge tougher action over China hack”. “China set to be declared a threat to national security” says the Times,while the Daily Express has “Tory MPs: we now must label China ‘a threat to Britain’” and the Daily Mail puts pressure on Rishi Sunak with “Fury at ‘feeble’ rebuke to China”. “UK Cabinet clash on how to fight China spy threat” is the i’s version. That’s all along the bottom of page one in the Daily Telegraph, which splashes on “Secret court for speeding and TV fines must end”. “Drink drive death of our angels” is on the front of the Metro. “The Kate effect” – lots more people are doing cancer checks online, the Daily Mirror reports. Top billing in the Financial Times goes to “Boeing chief Calhoun to step down in shake-up after door panel safety crisis”.

Today in Focus

People mourn outside Crocus City Hall after a terrorist attack in Krasnogorsk, near Moscow.

Terrorism and the battle for the truth in Moscow

Footage of four gunmen appears to support Islamic State’s claim that it masterminded the worst terrorist attack in Russia in two decades. But the Kremlin has put Ukraine in the frame. Andrew Roth reports

The Guardian Podcasts

Cartoon of the day | Rebecca Hendin

Rebecca Hendin on Putin and the Moscow terror suspects – cartoon

The Upside

A bit of good news to remind you that the world’s not all bad

The US is investing in decarbonising factories including ones that make ice-cream.

The US government has announced a record $6bn in funding to decarbonise industry facilities in the country including plants that make cement and concrete, iron and steel, and food production plants including those that make ice-cream and mac and cheese. Industry, which has been difficult to decarbonise because of its large-scale operations, is responsible for 25% of emissions in the US. The White House climate adviser has said the funding is supposed to get rid of 14m tonnes of pollution each year, which is equivalent to taking about 3m cars off the road.

Sign up here for a weekly roundup of The Upside, sent to you every Sunday

Bored at work?

And finally, the Guardian’s puzzles are here to keep you entertained throughout the day. Until tomorrow.

 

… there is a good reason why not to support the Guardian

Not everyone can afford to pay for news right now. That is why we keep our journalism open for everyone to read. If this is you, please continue to read for free.

But if you are able to, then there are three good reasons to support us today.

1

Our quality, investigative journalism is a powerful force for scrutiny at a time when the rich and powerful are getting away with more and more

2

We are independent and have no billionaire owner telling us what to report, so your money directly powers our reporting

3

It doesn’t cost much, and takes less time than it took to read this message

Help power the Guardian’s journalism in this crucial year of news, whether with a small sum or a larger one. If you can, please support us on a monthly basis from just £2. It takes less than a minute to set up, and you can rest assured that you're making a big impact every single month in support of open, independent journalism. Thank you.

 
Get in touch
If you have any questions or comments about any of our newsletters please email newsletters@theguardian.com
https://www.theguardian.com/uk
You are receiving this email because you are a subscriber to First Edition. Guardian News & Media Limited - a member of Guardian Media Group PLC. Registered Office: Kings Place, 90 York Way, London, N1 9GU. Registered in England No. 908396