Advertisement

Chinese hackers ‘drew up plans to target UK government data’

Chinese hackers target UK government departments
Chinese hackers target UK government departments

A state-linked Chinese hacking group drew up a hit-list of nearly 20 UK targets, including the Foreign Office and the Department for Exiting the European Union, a data leak has revealed.

The raft of British government departments, think tanks and rights organisations were found to have been selected for potential cyber intrusions in a massive trove of documents leaked from I-Soon, a private Shanghai-based security contractor that has ties to China’s ministry of public security.

Whether any of the British institutions were hacked has not been confirmed, but the documents claim the company was successful in many other cases, including their retrieval of a large database of the road network of Taiwan, which China threatens to invade.

The full list of UK ministries named by the hackers included the Foreign Office, the Home Office, the Treasury, the Department for Exiting the European Union,  the National Crime Agency and the departments for business, education, environment, transport and health.

The Foreign and Commonwealth Office in Whitehall was among 20 UK entities said to be on a list of targets for Chinese cyber attacks
The Foreign and Commonwealth Office in Whitehall was among 20 UK entities said to be on a list of targets for Chinese cyber attacks - Dominic Lipinski/PA Wire

Human rights groups targeted

Think tanks and human rights groups, such as Chatham House, the International Institute for Strategic Studies (IISS), Center for Foreign Policy Studies, RAND Europe, Amnesty International and Human Rights Watch were also mentioned.

A screenshot of a conversation between “Boss Lu”, an apparent fixer for a client in Chongqing, and an I-Soon employee revealed that the Foreign Office was a “priority” for an unnamed party.

The pair discuss how an I-Soon team has detected a “zero day” vulnerability in the Foreign Office’s system, referring to an undiscovered flaw that could allow clandestine intrusion.

“The team said they have found a zero day that they can guarantee to get [info]. The result can be out in two weeks,” says the staff member, asking if the client can give a payment up front.

Boss Lu says an advance will be difficult but that they can discuss a future budget.

Unprecedented insight in state-backed hacking

The Foreign Office declined to comment on the matter.

The highly unusual leak of files from I-Soon last weekend offers unprecedented insight into the secretive world of China’s state-backed hackers-for-hire, who are contracted to exploit software vulnerabilities that expose sensitive information.

Analysts say the anonymous leak, which includes hundreds of pages of contracts, marketing presentations, product manuals and private online conversations, gives a valuable insight into the country’s growing cyber espionage industry.

The majority of the contracts shown in the documents are linked to China’s ministry of public security and some have been signed by the country’s ministry of state security spy agency.

Chinese police were investigating the breach and, according to the i newspaper, UK intelligence agencies were urgently verifying and analysing the documents to check their authenticity and fix any weaknesses in UK infrastructure.

American infrastructure

US officials, who have repeatedly warned about cyber attacks, are also reported to be scouring the files. In January, Christopher Wray, the FBI director, warned that Chinese hackers were “positioning on American infrastructure to wreak havoc” if or when China decided to strike.

Christopher Wray, the FBI Director, has warned that Chinese hackers could 'wreak havoc' on American infrastructure
Christopher Wray, the FBI Director, has warned that Chinese hackers could 'wreak havoc' on American infrastructure - JULIA NIKHINSON/AFP

I-Soon, known as Anxun in Mandarin, has not publicly commented, but two anonymous employees confirmed the data dump and the subsequent investigation to the Associated Press. The company’s website was taken down on Tuesday.

The Telegraph has asked the company’s chief executive, reported to be a member of China’s first hacktivist group, for comment.

An analysis of more than 570 files by The Washington Post did not find data extracted from Chinese hacking operations but lists, targets and summaries of sample data amounts extracted and details about whether the hackers obtained full or partial control of foreign systems.

One spreadsheet lists more than 80 overseas targets that hackers claim to have breached, including immigration data from India and a collection of call logs from South Korea’s LG Uplus telecom provider. The documents also show apparent I-Soon hacking of networks across Central and Southeast Asia.

Foreign governments

At least 20 foreign governments, such as Taiwan, Malaysia, Thailand, Mongolia and Afghanistan  are named as targets and some data reveals surveillance methods used against dissidents from Hong Kong, Xinjiang and Tibet, including those who are exiled abroad.

In one chat record, two employees discuss hacking Nato targets before deciding it’s too difficult.

The source of the leak is not known but the data is deemed credible by cyber experts. It was first posted on GitHub and spotted and shared by a Taiwanese security researcher known as Azaka.

“The leak shows insight into what generally these people are targeting and interested in,” Azaka said.

The leaked data also confirmed how the Chinese groups work, what tools they have at their disposal and the malware they were using, Azaka added.

Cyber attackers ‘linked to Chinese state’

“The leak also gives us an insight as to how the threat groups work - in the sense that the workers do, in fact, work at a company that is then contracted by the MPS [Ministry of Public Security] to do the dirty work, instead of these attackers being directly hired by the government.”

China’s foreign ministry spokesman said on Thursday she was not aware of the leak, but “as a principle, China firmly opposes and combats all forms of cyber attacks in accordance with the law”.

A spokesman for the Chinese embassy in London said: “China is a major victim of cyber attacks,” adding that it used “lawful methods” to tackle all forms of cyber intrusions.

“China does not encourage, support or condone attacks launched by hackers. We oppose any groundless smears and accusations against China,” he said.

“Keeping cyberspace safe is a global challenge. We hope relevant parties adopt a constructive and responsible stance and work with China to protect cyber security.”

A Chatham House spokesman said the organisation was “naturally concerned” but had protection measures, such as technology-based safeguards, in place”, and it took “data and information security extremely seriously.

“In the current climate we, along with many other organisations, are the target of regular attempted attacks from both state and non-state actors,” the spokesman added.