The United Kingdom government has accused China of being responsible for a cyberattack in 2021 that compromised the personal information of millions of British voters.
In a statement to lawmakers in Parliament on Monday, U.K. deputy prime minister Oliver Dowden stated:
“We attribute the 2021 data breach at the Electoral Commission to hackers working for the Chinese government. We will not hesitate to take swift and robust actions against any threats to the interests of the United Kingdom.”
This is the first time the U.K. has publicly attributed the breach since it was first discovered in 2023.
The Electoral Commission, which maintains copies of the U.K. register of citizens eligible to vote, revealed that hackers accessed the names and addresses of approximately 40 million U.K. citizens, including those who were registered to vote between 2014 and 2022, as well as overseas voters. Although the data breach began in 2021, it was not detected until a year later.
A statement from the U.K. National Cyber Security Centre (NCSC) on Monday stated:
“It is highly likely that Chinese hackers accessed and exfiltrated emails and data from the electoral register during the hack. This information could potentially be used by Chinese intelligence for large-scale espionage and the oppression of dissidents and critics in the U.K.”
When contacted by TechCrunch, a spokesperson for the NCSC declined to name any specific China-backed threat actors involved in the Electoral Commission’s data breach.
The U.K. government also revealed that a separate cyberattack attempt in 2021 was thwarted by parliamentary authorities. The hacked targeted the email accounts of U.K. lawmakers, but no accounts were successfully compromised.
The NCSC attributed the attempted email hacks to a group of Chinese hackers known as APT31:
Security researchers have linked APT31 to the targeting of online accounts belonging to foreign government officials. The group is known to use malware that can create backdoors into systems and steal sensitive information. In 2018, the Norwegian government attributed a data breach on its systems to APT31.
The U.K. government did not disclose which lawmakers’ email accounts were targeted, but the NCSC stated that most of the affected lawmakers have been vocal in criticizing the actions of the Chinese government.
A spokesperson for the Chinese Embassy in the U.K. denied the allegations, stating that China does not support or condone cyberattacks launched by hackers. However, they also added that China will “resort to lawful methods” to defend against cyberattacks.
Paul Chichester, director of operations at NCSC, stated:
“The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behavior from China state-affiliated actors against the U.K. and the rest of the world. Targeting our democratic system is unacceptable, and the NCSC will continue to identify and address cyber actors who pose a threat to our society’s institutions and values.”
On the same day, the Biden administration also accused several Chinese hackers of being involved in APT31’s attempts to target U.S.-based companies. In 2020, Google security researchers linked APT31 to the targeting of email accounts for both the Trump and Biden presidential campaigns.
Last month, a set of leaked documents from a Chinese government contractor revealed how the contractor targets and hacks other governments at the request of Chinese authorities.