China cyber-attacks explained: who is behind the hacking operation against the US and UK?

<span>China has been accused by the US, UK and New Zealand of targeting sensitive information with cyber hacking attacks. </span><span>Photograph: Oscar Wong/Getty Images</span>
China has been accused by the US, UK and New Zealand of targeting sensitive information with cyber hacking attacks. Photograph: Oscar Wong/Getty Images

The US and UK have imposed sanctions on individuals and groups that they say targeted politicians, journalists and critics of Beijing in an extensive cyber espionage campaign – allegedly operated by an arm of China’s ministry of state security.

The scale of the operation was revealed on Monday, although some of the attacks have been previously reported on. On Tuesday, New Zealand blamed “state-sponsored” Chinese hackers for a 2021 cyber-attack that infiltrated sensitive government computer systems.

Who is behind the cyber-attacks?

Both the UK and US point the finger at a hacking group known within the cybersecurity community as Advanced Persistent Threat 31 (APT 31).

Western intelligence experts use the APT naming convention to identify hacking groups linked to foreign governments. According to Mandiant, an American cybersecurity firm and a subsidiary of Google, there are more than 40 APT groups, more than 20 of which are suspected to be operated by China.

Related: Tory MPs urge tougher action on China after cyber-attacks

APT 31, also known as Zirconium, Violet Typhoon, Judgment Panda and Altaire, is run by China’s ministry of state security from the city of Wuhan, according to the US justice department.

The group has been accused of high-profile attacks in the past: in 2020, Google and Microsoft warned that the group had targeted the personal emails of campaign staff working for Joe Biden.

The UK government says it was also linked to a hack of Microsoft Exchange email server software in 2021 that compromised tens of thousands of computers around the world.

In its announcement on Tuesday, New Zealand said that a separate Chinese state-backed group – APT 40 – was behind the attack that compromised computers linked to its parliamentary network.

According to Mandiant, APT 40 is a Chinese cyber espionage group that typically targets countries strategically important to the Belt and Road Initiative.

Who was targeted?

The US and UK allege that the hacking campaign targeted both a broad swathe of private individuals, as well as strategically important companies and government officials.

The UK government has outlined two “malicious cyber campaigns targeting democratic institutions and parliamentarians”.

The first campaign resulted in Beijing allegedly accessing the personal details of about 40 million voters, held by the Electoral Commission. According to the government the attack – which occurred between late 2021 and October 2022 – had no impact on the electoral process or electoral registrations.

The second campaign appears more targeted. UK intelligence has said that it’s “highly likely” that APT 31 conducted “reconnaissance activity against UK parliamentarians”. The politicians targeted in the attempted hack were all prominent critics of China. British intelligence has said that none of their accounts were compromised.

In its statement on Monday, the US justice department, outlined a 14-year-long global campaign that appears much larger in scale. Among the targets identified are political dissidents, critics of China, US government officials, political candidates and American companies.

Altogether, the targets number in their thousands and the justice department has confirmed that some of the activity successfully compromised “email accounts, cloud storage accounts, and telephone call records”. It adds that some of the surveillance of email accounts lasted “many years”.

Critics of China’s governments and supporters of Chinese political dissidents appear to have been a common target of the hackers.

The US alleges that in 2021, APT 31 targeted the email accounts of a number of foreign governments officials that were members of the Inter-Parliamentary Alliance on China (IPAC) whose stated purpose is to “counter the threats posed by the Chinese Communist party”. Among them were EU and UK politicians.

And in response to the 2019 pro-democracy protests in Hong Kong, APT 31 were said to have stepped up their targeting of activists and journalists associated with the movement.

New Zealand has said that some data was taken during the cyber-attack on its parliamentary counsel office and parliamentary service, but none that was considered sensitive or strategic.

How did the attacks occur?

Both the UK and the US allege that APT 31 used phishing techniques – in which victims are sent emails containing links that steal their private details – in order to access sensitive information.

US deputy attorney general Lisa Monaco said more than 10,000 emails – which appeared to come from news outlets, politicians and critics of China – were sent as part of the campaign.

According to the US, the phishing emails contained hidden tracking links; if the victims opened these emails, information including the recipient’s location, device and IP were transmitted to a server controlled by the hackers. APT 31 then used this information to enable more targeted hacking, such as compromising the recipients’ home routers and other electronic devices.

What was their goal?

Monaco has said the aim of the operation was to “repress critics of the Chinese regime, compromise government institutions and steal trade secrets”.

The US says APT 31 targeted “dozens of companies operating in areas of national economic importance”. They include businesses working in defence, telecommunications and manufacturing.

These activities resulted in the “confirmed … compromise of economic plans, intellectual property and trade secrets”.

The spouses of high-ranking White House officials and US senators were also targeted, along with campaign staff from both major US political parties. Despite the group targeting Biden’s election campaign in 2020, the justice department report says that the hacking did not further any “Chinese government efforts to influence the election”.

What’s next?

Tensions over issues relating to cyber espionage have been rising between Beijing and Washington for some time, with western intelligence agencies increasingly sounding the alarm on alleged Chinese state-backed hacking activity.

In the UK, the government has been criticised for being too slow to respond to the cyber-attacks, which took place between 2021 and 2022.

Luke de Pulford, the executive director of Ipac, said the government appeared “a little bit reluctant to say that China had actually done this”.

Conservative MP Iain Duncan Smith, who was among those targeted by the hacking operation, described the UK response as “like an elephant giving birth to a mouse” adding “we must now enter a new era of relations with China, dealing with the contemporary Chinese Communist party as it really is, not as we would wish it to be.”

China has rejected the allegations that it or state-affiliated organisations were responsible for the attacks.

“China has always firmly fought all forms of cyber-attacks according to law,” a spokesperson for the Chinese embassy in Britain said “China does not encourage, support or condone cyber attacks.”

Reuters contributed to this report