Did China Target British MPs With Cyber Attacks?

News emerged from the UK government today that Chinese groups have been accused of launching a series of attacks, in one instance against the electoral commission and potentially accessing the personal details of millions of voters. There could be a rumoured 40 million victims affected..

According to the UK’s deputy Prime Minister Oliver Dowden – who delivered the statement in Westminster earlier this afternoon – insisted that UK political institutions “have not been harmed by these attacks,”.and the UK government condemns “in the strongest terms” the threatening behaviours by China, and says preventative action will be taken.

So what were these attacks? Dowden pointed at the attempted hit (or potentially multiple hits) on the UK Electoral Commission between 2021 and 2022, as well as China’s ‘conducted reconnaissance activity’ against parliamentarians in 2021. In the first instance, the attackers apparently did not succeed, but it does make me wonder if MPs were specifically targeted?

The gains from a successful targeting and compromise of such a politician could provide quite the reward for a clever hacker. Compromise could mean access to internal networks in UK parliament, opportunities for email spoofing and even connections to the top government ministers.

The Deputy PM says it’s “almost certain” that the China state-affiliated APT 31 group “conducted reconnaissance activity” against UK parliamentarians during a separate campaign in 2021.

APT 31 has reportedly targeted government in the past, as well as financial services organisations, high tech, construction and engineering, telecommunications, media, and insurance, and is named by Mandiant as a “China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages.”

Mandiant also says APT 31 “has exploited vulnerabilities in applications such as Java and Adobe Flash to compromise victim environments. Let’s hope no MPs received and opened a suspicious attachment in the past few years.

What are the immediate takeaways from this? Firstly that government is talking about cybersecurity, and making firm judgements on who is responsible. It may not come as any surprise that China is still being named as a perpetrator of major attacks; even CISA names the PRC (along with Russia and North Korea) as ‘nation-state adversaries, who ‘are known for their Advanced Persistent Threat (APT) activity.’

Secondly, that there have been reported attacks on the UK’s electoral roll. I’m in no doubt that this has been targeted before, but typically attackers go for money or intellectual property. What use is a list of people’s names to a nation? Well actually it could be very useful if it is for nefarious purposes, and contains live email addresses among those personal details.

Thirdly that MPs are being deliberately targeted. What is interesting here is that MPs’ email addresses appear on several websites for people (including constituents) to contact them. We know these emails often go to the MP’s staff and secretaries, but are they suspicious of emails and rogue attachments?

Fourthly, we’re still pointing the finger at APT groups, nation state and affiliated attacker groups. They go after major industry verticals, go after money and IP and generally operate either for or in ideological support of nations. It’s some 11 years since I first learned about APT1, also based out of China, and since then the number of identified nation state attackers continues to increase.

Fifth and finally, what happens next? Is this going to be a case of mud slinging and naming and shaming by the UK government, and nothing happens until the next attribution? Hard to say, but Prime Minister Rishi Sunak called China “the greatest state-based challenge to our national security” and said “it is right we take steps to protect ourselves.” What are those steps exactly?

China has responded, with a message on its UK Embassy website calling the accusations of “so-called cyber attacks” to be “completely fabricated and malicious slanders” and that it strongly opposes such accusations. A spokesperson said: “We urge the relevant parties in the UK to stop spreading false information and stop their self-staged, anti-China political farce.”

It’s always positive to see national leaders discuss cybersecurity issues and take the matters to the nation, and ensure those affected are identified and protected. I just hope that the story doesn’t end with a statement.

Cloud & Cyber Security Expo – People Factor Discussions Advance

While society as a whole has undertaken an effort to ‘be more kind’ in the past decade, it’s always so reassuring to see the UK cybersecurity conference scene follow that lead.

This week saw one of the first major events of the year take place, with the Cloud and Cyber Security Expo held in London’s Excel centre. Of the half dozen (or so) talks I was able to attend – kudos to the organisers for an incredibly busy show and standing room only for most of the talks I was at – the mood was generally positive when it comes to the attitude towards hiring, users and leadership.

The Human Element Conversation

In the past there has been far too much blaming of the users, mention of the ‘weakest link’ and figuring out who and where to identify the blame in negative instances.

The messages were generally aligned: Stu Hirst talked of the issue of imposter syndrome, and asked the audience how many felt they suffered a form of this – it was not a surprise to see many raise their hands to admit their vulnerability to this case. He identified the five forms of this syndrome:

• The perfectionist – who sets their goals too high
• The superman or superwoman – who believes their colleagues are more talented than them
• The genius – who feels they are a failure if they don’t work hard enough
• Individualist – who feels they are failing if they ask for help
• The Expert – who feels they tricked their way into their job and will be found out

This wasn’t the first time I’d seen a talk on imposter syndrome, I first came across it when I saw Dr Jessica Barker present a few years ago at SteelCon on this subject, but that factor actually plays into my experience of this syndrome.

A few years after seeing Jessica present at SteelCon, I presented in the same room as she had, and my feelings aligned with the Superman and Expert factors: what right did I have presenting on the same stage as someone who I respected?

I’ve not spoken to anyone about this, because I know they would tell me that I got to that point by doing my research and submitting a talk idea which was judged by the conference’s content reviewers, and they deemed it to be good enough, so there was no need to be bashful about what I had done. However the issue played on my mind, and this excellent talk by Stu stirred these memories.

I guess the conclusion is to believe in yourself and your achievements, and make sure you know that what you’ve done is good enough in your eyes, and be proud of what you have done and continue to do. That may be easy to say, and for me this is several years on, but to face this mental challenge continually is something people do need to talk about.

Diversity Talks with an Outcome

This leads to some of my other takeaways from the conference. Arguably the best session of the day that I attended was on women in cybersecurity, ‘fostering a diverse and inclusive cyber workforce.’

I’ve seen many discussions on women in cyber over the years and many fail to provide a workable solution apart from the need to ensure there is more diversity in the workplace, that there needs to be more diversity in the hiring panel, and job descriptions need to be more realistic of experience and expectations.

What I would like to see is more discussion on respect in the workplace, discussion on parity in salary and opportunities and opportunities for support and career progression.

On this panel, one speaker – Cheila Dos Santos – really stood out, talking about how as a black woman she was described as ‘sassy’ and ‘would put the men in check’. She talked of the concept of ‘pre-judgement’ of people, rather than by what they can bring to a role.

The panel also discussed what businesses can do to ensure mentors are assigned properly, and what mentors can do, and how experience and skills should be considered before assigning more ‘admin tasks’ that the panel said women are often tasked with doing.

It is very reassuring to see the conversation continue on women (and overall diversity) in cybersecurity, and this discussion on how to enable people to do the work to do that suits them, and achieve their goals was very enjoyable.

The other talk worth mentioning was on the concept of allyship, and ‘fostering inclusive environments for cybersecurity professionals.’ This panel discussion was interesting from the proposals around ensuring diversity is achieved via the job descriptions and advertisements as mentioned above, and also the concept of ‘laying out the welcome mat, as people are “all fighting for an inclusive work environment.”

I guess one of the issues is there is too much expectation for women in cybersecurity to bring those soft skills to the security teams, rather than be leaders. Having the best people do the top jobs has to be the priority, and ensuring that they can be supported remains important.

Overall it was a positive first conference of the year. Yes there was plenty of discussion of AI, and that will be reflected in future work, but for now these ‘people’ issues remain important, and ensure processes are put in place to ensure there is supportive opportunities in place.