A known state-sponsored hacking group from China has been sanctioned by the US Treasury Department for a campaign of cyber attacks over the past decade, and has been named by the UK’s National Cyber Security Centre (NCSC) as the culprit in a 2021 cyber espionage campaign against parliamentarians.
APT31, which has also sometimes made the news as “Zirconium,” has likely been in action for over a decade now and has specialized in intellectual property theft and cyber espionage of foreign government officials. Unlike some of China’s for-profit hacking groups, APT31 is believed to be under the direct control of the country’s Ministry of State Security.
Cyber espionage of UK Electoral Commission involved data theft
The NCSC has directly accused APT31 of a 2021 cyber espionage operation that involved attempts to break into UK Parliament email accounts, and later 2022 cyber attacks on the UK Electoral Commission’s systems.
The 2021 cyber attacks on email accounts appeared to target parliamentarians that have been critical of China. The UK Electoral Commission attacks also involved email accounts, as well as theft of information from the Electoral Register. UK officials believe that the overall objective of both of these campaigns was cyber espionage focused on both criticism of the Chinese government and the tracking of dissidents that might be in communication with foreign parties.
The NCSC confirmed that data had been taken in the cyber attacks on the UK Electoral Commission, but that the earlier attack against Parliament was blocked before any email accounts could be compromised and that the security of elections was not in any way threatened.
US makes sweeping claims of APT31 cyber attacks
While UK officials implicated APT31 in two specific incidents, the US accused the group of a decade’s worth of cyber attacks as it applied sanctions. Deputy U.S. Attorney General Lisa Monaco indicated that the group had similar cyber espionage goals but went after a much broader range of targets over an extended period of time: a variety of private companies (including 5G technology developers), defense contractors, the families of lawmakers and officials, and journalists and other individuals that might have connections to political dissidents.
The US campaign of cyber attacks by APT31 successfully compromised millions of accounts over the full period, varying from personal and work emails to telephone records. This campaign included attempted election interference in 2018, when the hackers breached a public opinion research firm, and in 2020, when an unspecified presidential campaign was targeted.
A Department of Justice (DOJ) indictment has revealed that seven alleged Chinese hackers have had charges filed against them. The Treasury Department sanctioned two Chinese nationals along with the Wuhan Xiaoruizhi Science and Technology, believed to be a public front for APT31. The UK government also placed sanctions on the organization.
Beijing responded to the sanctions with a statement of denial and claimed that the stories of cyber attacks were an act of “political manipulation,” in what has become a standard response to reports of its cyber espionage campaigns. The Foreign Ministry of China has broadly accused the US and its “Five Eyes” partners of spreading disinformation about its state-sponsored hacking, though much of the tracking and reporting on these threat groups comes from unaffiliated cybersecurity firms that have backed up each other’s assertions. New Zealand has additionally accused China of hacking, but has yet to introduce sanctions.
Cyber attacks and cyber espionage are far from the only concerns for these countries; Chinese agents have been caught in the midst of old-fashioned in-person espionage as well. In September 2023, an international affairs researcher working at the UK Parliament was arrested under suspicion of spying for China. And in a 2023 case, two US navy sailors were arrested for spying for the country in return for about $15,000 in cash. They were given jail sentences in early 2024. In 2022, the first Chinese national was extradited to the US to stand trial as a government intelligence officer received a 20-year sentence for spying on US aviation companies and stealing intellectual property.
The NCSC followed up its announcement of sanctions by publishing updated cybersecurity guidance for political organizations and those involved with elections, reflecting the increased likelihood of facing cyber attacks and advanced cyber espionage attempts by nation-state hacking groups. APT groups under the direct control of a foreign government generally operate with large budgets, have members that are among the world’s most skilled hackers, and have access to stashes of zero-day exploits that have not yet been discovered by researchers or seen in use in the wild.
Al Lakhani, CEO of IDEE, sees this as a strong nudge for the UK government to take implementation of zero trust architecture more seriously: “International relations are built on good faith, mutual interests and a fair bit of give and take. But these are all completely opposed to good cybersecurity practices, which must be built on zero trust. The Government is blatantly tiptoeing around the issue, evidently paralysed by the fear of alienating global superpowers, but the result is compromised personal data and undermining confidence in electoral processes. To avoid these awkward situations, the Government needs to find better ways of protecting its systems and data. When it comes to something as important as national security, relying on outdated cybersecurity solutions that detect attacks, but stop short of preventing them, is nothing short of dangerous. A general election is on the horizon, and the threat of international interference is huge. So, I hope that lessons have been learnt from past breaches, that this marks a turning point in the UK’s cyber security preparedness, and that we move towards a digitally-secure future rooted in identity proofing and transitive trust.”
And while the Biden administration is a bit ahead on that front, Tom Kellermann (SVP of Cyber Strategy at Contrast Security) would also like to see more action from the US side: “The Chinese Cyberonsurgency is escalating. It’s high time the administration takes more aggressive action to suppress the overt colonization of American infrastructure by the PRC. We must stop playing defense. These sanctions are long overdue, however I would love to see forfeiture of their western assets.”
Dr Ilia Kolochenko, CEO at ImmuniWeb, notes that increasing attention needs to be paid to the public-private fusion of cyber espionage groups such as these: “Reliable cyberattack attribution remains a complex and time-consuming task in 2024, being a mix of art and science. The most complicated part is to expose who is actually procuring the attack. First, many cybercrime groups are mercenaries motivated by money: they may have one major client for a long period of time and then switch to another one. After establishing or inferring some nexuses between the group and its client, investigators may automatically and incorrectly attribute upcoming attacks – procured by another client – to the first one. Second, individual cybercrime group members may change their “employer” quite frequently. If such an individual was, for example, responsible for malware development at his former group, he would likely reuse his code, as well as some tactics, techniques and procedures (TTPs) for upcoming projects at the new group, once again leading to incorrect attribution of the attacks. Third, numerous databases and other excellent resources by cybersecurity companies exist with detailed technical descriptions of TTPs used by (in)famous hacking groups. Both newcomers and well-established threat actors frequently utilize this information to impersonate or frame another threat actor, perfidiously misleading the investigators. In sum, without a frictionless collaboration between law enforcement agencies (LEAs) from all countries, attack attribution, prosecution and just punishment of attackers remain highly problematic.”