A third party breach impacting the Ministry of Defense may have exposed the bank details of as many as 272,000 current and former members of the UK armed forces. A culprit has not yet been named, but some evidence points to Chinese state-backed hackers and Defense Secretary Grant Shapps said that state involvement “cannot be ruled out.”
For the most part the exposure appears to have been limited to names and bank details for both active members of all branches of the UK armed forces and veterans, but reportedly home addresses were also included in a “few” cases. Details are somewhat thin due to national security concerns but the UK government has named SSCL, a business services provider, as the source of the third party breach.
UK armed forces info may have been exposed to state-backed APT group
A spokesperson for the Ministry of Defense said that the network involved in the third party breach was taken offline immediately upon discovery of the intruders. UK armed forces members that were impacted have been notified privately and are being linked up with a private data protection service that can warn them if there is an attempt to use their personal information for fraud. The government also said that this will not impact salary payment, though there might be “slight delays” in making other payments in a “small number” of cases. The incident reportedly does not impact special forces groups such as the SAS, which are paid through a different system.
The GCHQ and the National Cyber Security Centre (NCSC) have opened an investigation into the third party breach. As is fairly common, the Chinese government has responded to news reports of the attack by calling it a smear campaign and denying any involvement.
Shared Services Connected Ltd., or SSCL, lists itself as a “critical business services” contractor that works exclusively with the UK armed forces and public sector agencies. In late 2023 it became a wholly owned subsidiary of consulting firm Sopra Steria, which founded the company in 2013 in partnership with the Cabinet Office. Among other digital services it handles HR, payroll, accounting and finances for its government clients.
Oz Alashe MBE, CEO of CybSafe, notes that third party breaches continue to haunt what should be among the world’s most secure systems: “The recent cyberattack on the UK’s Ministry of Defence’s external payroll system shows the vulnerability of even the most protected government organisations to cyber threats, particularly when third-party contractors are involved. The cost of fixing this breach could be substantial, not only in terms of financial resources but also in the time and effort required to restore trust and secure the compromised systems. This incident serves as a stark reminder that cybersecurity is no longer about compliance, but proactivity. Those handling sensitive information must do so securely, exercising good security behaviour. Cybersecurity teams need to be able to measure the risks associated with behaviours over time, so they can offer support and guidance to personnel who need it. In a year when much of the Western world will be going to the polls, it must be a priority of democratic governments to limit the influence foreign nations can have in domestic affairs through malicious cyber tactics. Cyber resilience is going to be a topic of increasing prominence over the coming years and one we need to be prepared for.”
Third party breach may be part of active Chinese campaign in UK, EU
Despite its repeated denials, the US and UK governments have accused China of a coordinated campaign of cyber attacks. In March the two countries slapped sanctions on a number of China’s state-affiliated hackers and front companies as part of a joint investigation that tracked malicious activity back as far as a decade. The countries accused APT 31, also sometimes called “Zirconium” or “Judgment Panda,” of assorted breaches dating back to at least 2016. This includes election interference attempts in the US, and attacks in Europe on the European Banking Authority and the Norwegian parliament. The UK says that the group was behind a hack of its Electoral Commission in 2021 and is behind an ongoing surveillance program that targets the email accounts of MPs.
The NCSC has been warning about attacks on the UK armed forces since long before the recent third party breach. In May 2023 it issued a warning to operators of critical national infrastructure, particularly those supplying military facilities, that Chinese hacking group Volt Typhoon was highly active in targeting them. This closely followed a Microsoft report that the group had breached a telecoms company serving a US military installation in Guam, and had been pursuing and successfully breaching similar targets since at least 2021.
The full details of the exposed UK armed forces data have yet to be made public, but in addition to triggering an investigation the third party breach also prompted the Ministry of Defence to announce an “eight point plan” to identify security failings and prevent such incidents from happening again. The Ministry did indicate that there was “evidence of potential failings” at SSCL that the hackers took advantage of, but did not elaborate on whether that means an unpatched vulnerability or an employee falling for a phishing approach.
It is also not yet clear what the Chinese government would want with UK armed forces payroll data. For the most part these APT groups stick to espionage and theft of beneficial corporate secrets, but generally stop short of taking money or running financial scams. Some of the Chinese APT groups are private sector contractors, however, and several have been observed targeting crypto or other funds seemingly as a side activity for their own benefit.
Tom Lysemose Hansen, CTO of Promon, elaborates on what this stolen data might be used for: “Nothing and nobody is unhackable, that’s the lesson from this. While we don’t know the exact volume and nature of the data that was breached, it doesn’t really matter as payroll systems, by their very nature, hold a lot of sensitive information. For example, personally identifiable information like full names, dates of birth and addresses, all of which can be used to forge documents, steal identities and commit fraud. Additionally, these systems will likely hold banking information for each employee, which when coupled with the other stolen information, opens each employee up to a wide range of future phishing scams, and extortion attacks that could result in serious financial losses. What’s worse is that this information will likely not even stay with the attackers now that it’s been obtained. They could (and likely will) sell it on for a cash prize, meaning there is no way of saying in whose hands this information could end up. And similarly, this may not be the only system that was breached, it’s just the one we know about. If they managed to get into one system, there’s a real chance they could have escalated their own privileges to gain access to other systems that we haven’t discovered yet. This breach, while in isolation, may not sound horrific, represents a systemic issue within cybersecurity practice as a hole. We like to think governments won’t be susceptible to the same kinds of cyberattacks that businesses and individuals are. But clearly there’s a hole in the UK’s national defence and nation state hackers are taking advantage of it, so it begs the question “how seriously is the UK government taking its cyber defence?”
Dr Ilia Kolochenko, CEO at ImmuniWeb, believes that this may yet turn out to be the work of a purely financially motivated criminal group: “Amid the unprecedented climate of international hostility and political disagreement, military objects and personnel will increasingly be targeted by cyber attacks sponsored or conducted by foreign nation-states. While few technical details are currently available about this specific data breach, it seems unlikely to be a fruit of foreign state interference. Attacks by foreign states usually aim at silently backdooring military networks, getting control over critical OT/ICS systems, or compromising classified military information. Financial and personal data of UK military personnel is a desired target for organized cybercrime groups that run large-scale fraud, scam and blackmailing campaigns over the Internet, being motivated by profits. Having said this, the attackers can, of course, try to re-sell information to more powerful hacking groups, backed by foreign states, to run laser-focused social engineering or extortion schemes against high-ranking officers of the British army. Thus, the risks should not be downplayed and urgent investigation is needed, however, there is no national security threat based on the information currently available.”