The U.K. government has blamed China for a 2021 cyberattack that compromised the personal information of millions of U.K. voters.
In a statement to lawmakers in Parliament on Monday, U.K. deputy prime minister Oliver Dowden attributed the 2021 data breach at the Electoral Commission to hackers working for the Chinese government.
Dowden told lawmakers that the U.K. government “will not hesitate to take swift and robust actions wherever the Chinese government threatens the United Kingdom’s interests.”
It’s the first time the United Kingdom has attributed the breach since the cyberattack was first disclosed in 2023.
The Electoral Commission, which maintains copies of the U.K. register of citizens eligible to vote, said at the time hackers took the names and addresses of an estimated 40 million U.K. citizens, including those who were registered to vote between 2014 and 2022 and overseas voters. The data breach began as early as 2021 but wasn’t detected until a year later.
In a statement Monday, the U.K. National Cyber Security Centre (NCSC) said it is “highly likely” that the Chinese hackers accessed and exfiltrated emails and data from the electoral register during the hack.
The NCSC said Chinese intelligence could use the data for “large-scale espionage and transnational repression of perceived dissidents and critics in the U.K.”
When reached by TechCrunch, a spokesperson for the NCSC declined to attribute the Electoral Commission’s data breach to any specific China-backed threat actor.
Dowden said that a separate attempted cyberattack by a China-backed hacking group targeted the email accounts of U.K. lawmakers in 2021, but that parliamentary authorities mitigated the attempted breaches before any email accounts were compromised.
The NCSC attributed those attempted email hacks to a group of Chinese hackers dubbed APT31, which is known for targeting the online accounts of foreign government officials. Security researchers say APT31 uses malware capable of creating backdoors into systems and exfiltrating sensitive information. The Norwegian government previously attributed a 2018 data breach on its systems to APT31.
The U.K. did not say which lawmakers’ email accounts were targeted, but the NCSC said most of the affected lawmakers have been “prominent in calling out the malign activity of China.”
Liu Pengyu, a spokesperson for the Chinese Embassy in the U.K. denied the allegations, said that China “does not encourage, support or condone attacks launched by hackers,” but added that China will “resort to lawful methods” to counter cyberattacks.
“The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behaviour we are seeing from China state-affiliated actors against the UK and around the world,” said Paul Chichester, director of operations at NCSC. “The targeting of our democratic system is unacceptable and the NCSC will continue to call out cyber actors who pose a threat to the institutions and values that underpin our society.”
The Biden administration, also Monday, accused several Chinese hackers of involvement with APT31’s efforts to target U.S.-based companies. In 2020, Google security researchers linked APT31 to the targeting of email accounts belonging to the Trump and Biden presidential campaigns.
Last month, a set of leaked documents from Chinese government contractor I-Soon revealed how the private contractor targets and hacks other governments at the request of Chinese authorities.