Chris Luxon is talking to media after China-backed hackers got into Parliament's network.
The US government has released images of seven alleged Chinese hackers wanted on charges of infiltrating the communications of targets in Britain and America over a 14-year period.
The Department of Justice (DoJ) accused the men of participating in a state-sponsored hacking ring, known to US authorities as APT 31 or by the codename “Violet Typhoon”.
The defendants, two of whom have also been sanctioned by the US Treasury, are: Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang and Zhao Guangzong.
The men, aged between 34 and 38, are connected to Wuhan Xiaoruizhi Science & Technology, a front company operated by an arm of the Ministry of State Security, the Chinese foreign intelligence agency.
Since 2010, the unit has been tasked with what US government officials called a “sinister scheme” of “computer intrusion activities” on behalf of the Chinese government, mainly through email attacks on foreign targets.
The hit list included US government departments, White House staff, China-sceptic British MPs and the UK’s Electoral Commission.
The list also included members of Congress, including both Democrat and Republican senators, the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute.
The targets were selected “in furtherance of the PRC’s economic espionage and foreign intelligence objectives” of gathering information about potential threats abroad, and in violation of data privacy and computer misuse laws.
Over a 14-year period, the hackers and Chinese intelligence operatives compromised the security of thousands of work and personal email addresses, cloud storage accounts and telephone call records, the DoJ said.
The group operated by sending more than 10,000 emails to their targets, disguised as legitimate messages from journalists or news organisations and containing real news articles that were relevant to the recipient.
Top left to right: Ni Gaobin, Weng Ming and Cheng Feng. Bottom left to right: Peng Yaowen, Sun Xiaohui, Xiong Wang and Zhao Guangzong.
Once opened, however, a hidden tracking link in the email would harvest the user’s location, IP address and device information and transmit it back to Wuhan for processing by the Chinese intelligence services.
Using that information, APT 31 was able to access the email accounts and networks of the targets using so-called “zero day exploits” – the manipulation of security bugs that manufacturers have not yet patched with software updates.
In 2021, the group began to hack the email accounts of British MPs connected to IPAC, the Inter-Parliamentary Alliance on China, after the group began publicly criticising China and the Chinese Communist Party.
The hackers created 10 email accounts to send more than 1000 emails to 400 people connected to IPAC, and received data back from the accounts of their targets.
The targets included 43 parliamentary accounts and every member of IPAC in the EU.
Joint sanctions
The US and UK have announced joint sanctions on two members of the group, Zao Guangzong and Ni Gaobin, and on the Chinese front company operating as a satellite of the intelligence services.
“These defendants were part of a Chinese government-sponsored hacking group, targeting US businesses and US political officials for intrusion for over a decade as part of a larger, malicious global campaign,” said James Smith, the assistant director in charge of the FBI’s New York field office.
“These charges are yet another example of hostile actions taken by the PRC to attack not only American businesses and infrastructure, but the security of our nation.”
In the UK, Oliver Dowden, the Deputy Prime Minister, said any hostile cyber activity directed towards UK parliamentarians was “completely unacceptable”.
He said the two attacks demonstrated a “clear and persistent pattern of behaviour that signals hostile intent from China”.
APT 31, short for Advanced Persistent Threat 31, was first publicly identified in 2016 and is believed to have operated since 2010.
Its most devastating attack came in 2021 when APT 31 and another state-backed group took advantage of a flaw in Microsoft’s email server system, Exchange, to steal personal data.
Around 250,000 email servers were affected by the hack.
Victims of the attacks included the European Banking Authority and the Norwegian Parliament, with the NCSC claiming that the hack “enabled large-scale espionage”.
Cyber experts have described the group as “highly skilled and sophisticated”.
The UK’s Foreign Office said it had sanctioned a front company representing APT 31, as well as two individuals involved in the group, without naming them.
This would freeze any UK-based assets and deny the individuals entry to Britain.
