An undisclosed advanced persistent threat (APT) actor possibly backed by the Chinese government is suspected of involvement in a serious supply chain data breach at the UK’s Ministry of Defence (MoD), but the UK has declined to formally attribute the cyber attack stating national security concerns
The cyber attack, which was first widely reported on the evening of Monday 6 May after details of the incident were prematurely leaked, targeted MoD employees, including serving members of the armed forces and veterans, via an attack on an as-yet unnamed payroll system supplier.
The data exposed in the attack includes an estimated 270,000 data points, mainly names and banking details, but has not affected any other MoD systems, nor impacted the payment of salaries.
“In recent days, the Ministry of Defence has identified indications that the malign actor gained access to part of the armed forces payment network,” defence secretary Grant Shapps told the House of Commons in a statement on the afternoon of 7 May.
“This is an external system completely separate to the MoD’s network, and is not connected to the main military HR system…. It is operated by a contractor and there is evidence of potential failings by them, which may have made it easier for the malign actor to gain entry. A specialist security review of the contractor and their operations is underway and appropriate steps will be taken.
“For reasons of national security, we can’t release further details of the suspected cyber activity behind this incident. However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor and we cannot rule out state involvement,” he said.
Shapps went on to outline an eight point plan of action that is already in train, with the affected systems taken offline as a precaution, an investigation including third-party experts underway, and affected personnel being informed and supported appropriately through their chain of command. This will include the provision of personal data protection services.
Shapps stressed that the number of individuals affected was low, and that there was no evidence to suggest data had been stolen.
Link to China unclear
Although no formal attribution has been made to any Chinese APT, the Chinese government has already moved to angrily reject any accusations that its intelligence agencies were behind the latest incident, which comes in the wake of other large scale breaches of UK government entities and officials – such as that of the Electoral Commission – linked to China, over which multiple individuals have been sanctioned, both in the UK and US.
Speaking to Computer Weekly earlier today, former NCSC chief Ciaran Martin said that while the attack on the MoD bore the hallmarks of nation state espionage, the possibility of a nation state’s involvement in cyber espionage was not unexpected and the UK government’s reaction sometimes risked making it hard to see the wood from the trees.
“I’m sitting in a country that for the second time in a month is getting very exercised about Chinese espionage against government, once in parliament, the other now in defence, which is serious, it’s unwelcome, it’s damaging. But at the same time there’s no serious proposal anywhere that spying on governments, especially defence or foreign ministries, is beyond the pale. It is a widespread activity,” he said.
Martin explained that in terms of general public discourse, the prevailing narrative has become one of ongoing Chinese cyber espionage against parliament and the government, but he pointed out that espionage long predates the digital world and is to be expected, while there are other facets to malign Chinese cyber activity more worthy of urgent attention.
“We’re absolutely missing the fact that the US has warned that there is the equivalent of digital explosives under quite a lot of critical infrastructure that can’t kill people, but could cripple the administration of aviation, the administration of healthcare, the administration of all sorts of critical services,” said Martin. “That, to me, is a much, much more important thing to focus national effort on.”
Whatever its provenance, the incident is, however, clearly a serious supply chain breach, with lessons for all organisations.
“Cyber attacks on third-party suppliers continue to highlight the threat that vulnerabilities in the supply chain pose to UK organisations,” said Philip Tansley, a security lawyer at Osborne Clarke.
“Every large organisation – including government departments – will outsource some operations to third party suppliers. This is not itself a bad thing but, as the process of outsourcing becomes increasingly complex and digitised and those suppliers outsource functions themselves, it is becoming increasingly difficult to monitor and manage the risks that a weak link in the supply chain poses.
“Proper oversight and understanding of where vulnerabilities exist by organisations is vital to enable them to manage and allocate risk appropriate and comply with contractual and regulatory obligations,” he said.