The Government was allegedly briefed about China hacking New Zealand MPs in 2021 but didn't inform them. Photo / Mark Mitchell
The Government was allegedly briefed about China hacking New Zealand MPs in 2021 but didn't inform them. Photo / Mark Mitchell
The Government Communications Security Bureau (GCSB) knew in 2022 that former New Zealand MPs and an academic were targeted in a China-backed cyber attack, but didn’t tell them.
It comes as former Labour MP Louisa Wall and former National MP Simon O’Connor express their anger and disappointment at not being told about the 2021 attack as they request an independent investigation.
The spy agency confirmed in a statement it was “made aware of the potential targeting of email addresses relating to New Zealand representatives on the Inter-Parliamentary Alliance on China [IPAC]”. The GCSB learned of the attack’s targets from the United States Federal Bureau of Investigation in 2022.
The agency is refusing to say whether it briefed ministers about the cyber attack that targeted Wall, O’Connor and academic Professor Anne-Marie Brady. All three have represented New Zealand in IPAC.
“We continually receive a large volume of information from a range of international and domestic sources relating to potential malicious cyber activity. We have established processes for assessing such information to determine what follow-up action is required,” the spokesperson said.
In a statement, the minister responsible for New Zealand’s spy agencies, Judith Collins, didn’t confirm whether she’d been previously briefed on the attack, but said it was up to the agency to decide what to do with the information.
“The GCSB has processes for assessing information relating to potential malicious cyber activity to determine what follow-up action is required.
“This information is always taken very seriously and dealt with accordingly.”
Collins said she was “awaiting further advice” on the incident. Her statement didn’t clarify whether GCSB briefed the former Government in 2022.
Earlier on Wednesday, Collins said she would have wanted to know if she had been a target of a hack. She also refrained from advocating for an investigation or the involvement of Parliament’s Privileges committee until more information came to light.
Wall told the Herald the lack of notification was concerning and believed the minister’s response was “inadequate”.
“As one of the individuals affected, I urge the GCSB to prioritise transparency and accountability in their notification processes.
“We had a right to know, as emphasised by the minister’s own acknowledgment that MPs who have data compromised should be informed. The people of New Zealand deserve nothing less.”
Former Labour MP Louisa Wall. Photo / Mark Mitchell
O’Connor echoed Wall as he demanded answers about whether ministers were aware of the hack. He felt the matter should be addressed by the Privileges Committee.
“I would have thought letting me know would have been a rather basic step in preventing any further incursions.
“That much of this information eventually became public via the US Department of Justice is striking and yet New Zealand agencies still did not make contact with us begs even further questions.”
O’Connor and Wall were recently informed by IPAC that the FBI had contacted various governments of targeted legislators, including New Zealand, to brief them through a “Foreign Dissemination Request” in 2022.
Wall’s parliamentary email address and a University of Canterbury email address for New Zealand IPAC adviser Anne-Marie Brady were on the FBI’s verified list of addresses targeted in the cyber attack. O’Connor’s was not on the list but it was likely he was targeted given he had received emails linked to the attack.
The pair were calling for an independent investigation into the matter, Wall saying such an inquiry should assess “the Government’s handling of it, to uncover any negligence, cover-ups, or failures in cybersecurity protocols”.
It had come to light in recent days that governments in other countries withheld informationabout elected representatives being hacked, including in Canada where one of its spy agencies has stated it shared details of the cyberattack with officials but not the MPs in 2022.
In March, Collins confirmed at the time the Parliamentary Counsel Office and the Parliamentary Service were targeted in a cyber attack by a state-sponsored group known as Advanced Persistent Threat 40 (APT40), alongside some MPs’ data that wasn’t strategic or sensitive in nature.
The cyber attack that targeted Wall and O’Connor was a separate incident, also in 2021, conducted by another group, APT31.
Prime Minister Christopher Luxon said he didn’t have any further details about the attack that targeted the former MPs, but he expected to be briefed “in due course”.
He accepted it was his expectation that MPs targeted in cyber attacks would be informed.
Chris Hipkins says he wasn't informed of MPs being targeted while he was Prime Minister. Photo / Mark Mitchell
Labour leader Chris Hipkins said the 2022 briefing occurred before he was Prime Minister and as such, “was not given information that there were individual MPs whose emails had been accessed”.
No information was shared with him after taking over from former PM Dame Jacinda Ardern, he said.
Hipkins agreed it would be a failure of Ardern and former GCSB minister Andrew Little if they had known but not informed the MPs.
Little, who was no longer in politics, said he couldn’t comment on whether he’d been briefed on the FBI’s communication in 2022 as the matter was classified.
Little did say it would be expected that if MPs were targeted in such a way, they would be informed.
“My experience of the agencies is that if they perceive a potential threat, a security threat to an MP or to anyone they describe as a sensitive category individual, then they take appropriate action on it and I’d be surprised if that didn’t happen in this case.”
Little defended his actions as the minister responsible and said any investigation would be conducted by the Inspector-General of Intelligence and Security.
Taieri MP Ingrid Leary, the current IPAC New Zealand co-chair alongside Southland MP Joseph Mooney, confirmed to the Herald she had received the same briefing from IPAC as O’Connor and Wall.
“This was an unacceptable attack on elected New Zealand parliamentarians which sought to violate our parliamentary privilege and undermine our sovereignty,” Leary said.
Her briefing didn’t include who specifically within the New Zealand Government was informed about the hacking so was unsure to what level ministers might have known.
“We want a commitment that MPs and citizens will be notified and informed immediately when our Government is alerted to such digital incursions.”
Former National MP Simon O'Connor. Photo / Mark Mitchell
Alongside Wall and O’Connor, the attack in January 2021 reportedly targeted 122 members of IPAC. The attack involved emails from “nropnews.com” containing tracking pixels to gather recipient data like IP addresses and device types.
”As a retired MP, I stand in solidarity with my former colleagues and all affected individuals in demanding answers and accountability from the Government regarding the handling of this 2021 cyber attack by China-affiliated hackers,” Wall said.
“We urge the Government to disclose the details of the attack and provide insight into the steps taken to address it.”
Brady, an academic and expert on the Chinese Communist Party, said she was distressed to learn she too had been targeted.
“In this case, the Government had the information, they chose not to tell me when they knew it was a progressive attack and there would be real utility in telling me so I could protect myself.”
Since being briefed, Brady had engaged specialist help to improve her cyber security.
She suspected the FBI had informed the GCSB, which had then briefed ministers of the former Government. The briefing did not detail whether ministers were consulted.
Brady supported calls for an inquiry and urged the Government to live up to its statements regarding the New Zealand-China relationship that outlined how New Zealand would communicate concerns to China.
“[The Government is] not living up to its own norms on that.”
Adam Pearse is a political reporter in the NZ Herald Press Gallery team, based at Parliament. He has worked for NZME since 2018, covering sport and health for the Northern Advocate in Whangārei before moving to the Herald in Auckland, covering Covid-19 and crime.
