Chinese state-sponsored group targeted New Zealand Parliament network

A Chinese state-sponsored group stole data relating to New Zealand MPs in a hack on Parliament in 2021, it has been revealed.

It has prompted the Government to directly express its concerns to China and call out the country in what the Prime Minister is describing as a "first" for New Zealand.

Minister responsible for the Government Communications Security Bureau (GCSB) Judith Collins announced New Zealand’s Parliamentary Council Office (PCO) and the Parliamentary Service had been "compromised by a malicious cyber actor".

She said links had been established between a Chinese state-sponsored actor and the cyber activity.

The announcement came hours after the United Kingdom revealed new details about a Beijing-backed group targeting its electoral commission. The United States and Australia have also said they were hit by the cyber attack.

"The GCSB’s National Cyber Security Centre (NCSC) completed a robust technical assessment following a compromise of the Parliamentary Counsel Office and the Parliamentary Service in 2021, and has attributed this activity to a PRC state-sponsored group known as APT40," Collins said.

"Fortunately, in this instance, the NCSC worked with the impacted organisations to contain the activity and remove the actor shortly after they were able to access the network."

Collins said the networks contained important information that enables the effective operation of the New Zealand Government.

"It is critical that we protect this information from all malicious cyber threats," she said.

Collins added that the impacted organisations acted decisively to mitigate the impact, and for the measures they have taken since the incident to harden their cyber defences and strengthen the resilience of their networks.

Chinese state-sponsored group targeted New Zealand Parliament network
Photo credit: Newshub.

The GCSB spoke to the media on Tuesday where it was revealed the state-backed hackers have accessed information from New Zealand MPs.

GCSB boss Andrew Clark told reporters on Tuesday while some data involving MPs was taken, no sensitive or strategic information was accessed.

National Cyber Security Centre Director Lisa Fong added it was a "reasonably small amount of information" taken. She said when there were indications that any MPs or their officers were involved the Speaker and Parliamentary Service engaged with GCSB.

Clark said the MPs did not face the same level of cyber attacks as counterparts in the UK.

He also said the UK Electoral Commission was hacked; however, they have seen no information to suggest New Zealand's election was compromised.

Clark would not go into specific detail about the data that was accessed due to security reasons, however, acknowledged it was not of a "strategic or sensitive" nature. He also would not say how long the hackers were in the system.

Foreign Minister Winston Peters has confirmed New Zealand’s concerns about cyber activity have been conveyed directly to the Chinese Government. 

"The Prime Minister and Minister Collins have expressed concerns today about malicious cyber activity, attributed to groups sponsored by the Chinese Government, targeting democratic institutions in both New Zealand and the United Kingdom," Peters said.

"It is important that these concerns also be conveyed directly to the Chinese Government. It is for that reason that I directed senior officials at the Ministry of Foreign Affairs and Trade to speak today to the Chinese Ambassador, to lay out our position and express our concerns. That conversation has now taken place.

"Foreign interference of this nature is unacceptable, and we have urged China to refrain from such activity in future. New Zealand will continue to speak out – consistently and predictably – where we see concerning behaviours like this."

He added New Zealand and China have a significant and complex relationship.

"We cooperate with China in some areas for mutual benefit. At the same time, we have also been consistent and clear that we will speak out on issues of concern," Peters said.

New Zealand has stood with the United Kingdom in condemning the activity.

"The use of cyber-enabled espionage operations to interfere with democratic institutions and processes anywhere is unacceptable," Collins said.

However, the Government did not go as far as to impose sanctions. The US and UK have announced sanctions against a company and two people linked to the Chinese government.

Speaking to reporters on Tuesday, Prime Minister Christopher Luxon said calling out China is an "entirely appropriate" response and a "very big step" for New Zealand.

"Calling it out is important because being public about it and putting sunlight on it and calling it out is actually a very good thing for New Zealand," Luxon said.

"…This is the very first time we have publicly attributed China to interference in our democratic processes and institutions. We are also standing up with like-minded countries that also have values that want to protect liberal democracies around the world and I think it is a great response."

Prime Minister Christopher Luxon said calling out China is an "entirely appropriate" response and a "very big step" for New Zealand.
Prime Minister Christopher Luxon said calling out China is an "entirely appropriate" response and a "very big step" for New Zealand. Photo credit: Newshub.

It comes after both UK and US officials alleged China was behind a sweeping cyberespionage campaign on Tuesday morning. 

Authorities from both the UK and US have accused the hacking group of being an arm of China's Ministry of State of Security.

The UK said the hack may have gained access to information on tens of millions of UK voters held by the Electoral Commission.

Meanwhile, in the US an indictment was unsealed on Monday (US time) against seven of the alleged Chinese hackers involved. US prosecutors said the hacking resulted in the confirmed or potential compromise of work accounts, personal emails, online storage and telephone call records belonging to millions of Americans, according to Reuters.

US Deputy Attorney General Lisa Monaco said the aim of the global hacking operation was to "repress critics of the Chinese regime, compromise government institutions, and steal trade secrets".

The announcements were made as both the US and UK imposed sanctions against a Chinese company and two people tied to the hacking activity.

Australia has since also backed the UK and the US, condemning the malicious cyber activities. According to local media, its government singled out China as the main culprit behind state-backed cyber hacks on large companies and critical infrastructure in a cyber threat report released in November.

Hackers behind another separate cyber-attack in New Zealand

The GCSB has confirmed the hackers were responsible for another attack in 2021.

Former Labour minister for GCSB Andrew Little back 2021 announced the Government had uncovered evidence of Chinese state-sponsored cyber-attacks in New Zealand. The attacks were linked to Chinese state-sponsored actors known as Advanced Persistent Threat 40 (APT40).

Little said the hackers tried to exploit vulnerabilities in Microsoft Exchange.

Collins confirmed on Tuesday it was the same group (APT20) responsible for the cyber-attack, however, she stressed these two attacks were separate events.

He said the difference in the cyber attack revealed on Tuesday was that Parliament and Government systems were involved.

Clark said the reason the public is only finding out about the second attack years later is due to multiple factors.

Firstly, he said robust forensic analysis and technical attribution takes time to do well. The next thing was to remediate vulnerabilities in system networks and be confident that vulnerabilities don't still exist.

"The last thing we don't want to do is to come out with a statement of this sort while affected organisations and networks are still vulnerable," Clark said.

He also said they had to compare notes with international partners and then decide when to go public.

"In this case, we want to be able to as a country reinforce the norms of responsible behaviour internationally in cyberspace and that is best done in company with other partners," Clark said.

"More voices are useful when you are going to try to reinforce norms of international behaviour."

In response to questions on why the Labour Party, who was in government at the time, didn't tell New Zealand earlier about the second cyber attack, former Prime Minister Chris Hipkins said they hadn't finished the process in order to do so.

"It's a pretty big step to name a country with foreign interference. We were going through the process of preparing to do that. We obviously didn't quite get to the end point. That involves alignment with the other partners, our other international partners," Hipkins said.

"I would have liked to been able to do it earlier but I endorse the statement that Judith Collins has released."

The Chinese ambassador Wang Xiaolong has rejected the accusations in a statement calling them "groundless and irresponsible accusations against China on cyber attacks or intrusions."

Xiaolong said the embassy has lodged a serious complaint to New Zealand authorities. 

"Non-interference in other countries’ internal affairs is a fundamental principle of China’s diplomacy. No one should do to others what they do not want done to themselves. We have never, nor will we in the future, interfere in the internal affairs of other countries, including New Zealand," the statement said.