It comes as the Parliamentary Service acknowledges it too knew a former MP was hacked but hasn’t explained what “preventative actions” it took in response.
Former Labour MP Louisa Wall and former National MP Simon O’Connor are calling for an independent investigation into the agency’s handling of the matter after it was revealed the GCSB was told about the 2021 attack in 2022 but didn’t tell Wall or O’Connor, who were targeted because of their links to the Inter-Parliamentary Alliance on China (IPAC).
Now, the Inspector-General of Intelligence and Security Brendan Horsley has confirmed he is conducting “preliminary inquiries” and will receive a briefing from the GCSB next week before deciding whether any further inquiry is necessary.
O’Connor welcomed Horsley’s decision, saying it was a positive first step.
“Those of us affected, as well as current MPs, are calling for greater transparency so it is our hope this leads to a fuller investigation to understand who knew and then why those targeted were not informed.
“Ultimately, we want to see change so that in the future any parliamentarians and public figures are told of such cyber attacks.”
Wall said it was reassuring to see the matter was being looked into.
“I trust that the Inspector-General will carefully evaluate the information gathered to determine the need for any further inquiry.”
University of Canterbury Professor Anne-Marie Brady, who was the sole academic out of the more than 120 IPAC members across the globe to be targeted in the attack, was glad Horsley was taking the situation seriously.
“[The] New Zealand Government has known since 2022 that China’s Ministry of State Security had targeted me and two NZ MPs for cyber attacks and they chose not to tell us. Now that the matter has become public, the Government has an opportunity to improve its practices around cyber security and foreign interference.”
University of Canterbury Professor and China expert Anne-Marie Brady has welcomed the watchdog's statement.
Current IPAC New Zealand co-chair and Taieri MP Ingrid Leary expected Horsley to make his findings public.
“We think having an understanding of when he will make his findings known will provide assurance to impacted MPs and the public that this issue is of high priority and that the best interests of our democracy are paramount.”
Yesterday, Wall and O’Connor’s anger at not being informed of their link to the cyberattack - which targeted parliamentarians in various governments in other countries - prompted the GCSB to acknowledge it learned the information from the United States Federal Bureau of Investigation (FBI) in 2022.
Wall’s parliamentary email address and Brady’s university email address were on the FBI’s verified list of addresses targeted in the cyber attack. O’Connor’s was not on the list but it was likely he was targeted, given he had received emails linked to the attack.
The GCSB didn’t explain why the agency didn’t inform Brady or the MPs, but said in a statement it “took action” on the information, including “engagement with Parliamentary Service”.
In a statement, Parliamentary Service chief executive Rafael Gonzalez-Montero told the Herald the GCSB’s National Cyber Security Centre informed Parliamentary Service about a “potential cyber security threat against a former MP” - presumably Wall.
Gonzalez-Montero said a risk assessment took place and “preventative actions” were taken.
Parliamentary Service chief executive Rafael Gonzalez-Montero said a risk assessment was done after the GCSB shared the information. Photo / Mark Mitchell
He didn’t expand on the actions for security reasons and said he didn’t contact Wall because she was no longer an MP.
The GCSB today refused to answer several follow-up questions from the Herald regarding its engagement with Parliamentary Service and whether it informed ministers in 2022. The former Government’s minister responsible for spy agencies, Andrew Little, has declined to comment, saying the matter was classified.
Over the coming days, the agency would be assessing the “notification steps” it took in light of the dissatisfaction expressed by Wall, O’Connor and Brady.
Little, Prime Minister Christopher Luxon, GCSB Minister Judith Collins and Labour leader Chris Hipkins have all said they would have expected MPs targeted in cyber attacks to be informed. Hipkins accepted it would be a failure of Little and former Prime Minister Dame Jacinda Ardern if they had been advised in 2022 and the targets hadn’t.
The FBI found the hack was conducted by the Chinese state-sponsored group Advanced Persistent Threat 31 (APT31). It involved emails from “nropnews.com” containing tracking pixels to gather recipient data like IP addresses and device types.
It was a separate incident to the cyber attack Collins attributed in March to another group, APT40, that targeted the Parliamentary Counsel Office and the Parliamentary Service alongside some MPs’ data that wasn’t strategic or sensitive in nature.
Adam Pearse is a political reporter in the NZ Herald Press Gallery team, based at Parliament. He has worked for NZME since 2018, covering sport and health for the Northern Advocate in Whangārei before moving to the Herald in Auckland, covering Covid-19 and crime.
