By Dan Smith and Sam Dunning
Introduction
This page is intended to serve as a list of cyber-attacks on the United Kingdom (UK) by hacking groups from the People’s Republic of China (PRC). The list is chronological, however, attacks about which there are doubts are listed at the bottom. The list is not comprehensive; however, we are trying to ensure that it reflects all the information in the public domain.
The UK government does not have a policy of automatically publicising attacks and only recently, in 2018, began publicly attributing attacks to China. It has been publicly alleged that not all attacks identified by the UK government have been publicised: in 2024, national security officials briefed the press that they believed significant parts of Britain’s critical national infrastructure may have been compromised and that:
“successive governments had decided not to make public the full extent of these vulnerabilities, and that the matter of disclosure was under consideration by the new administration [the Labour government].”
If you would like to contact us about our work on this, please email [email protected] Nota bene: the length of our notes on various cyberattacks is not a reflection of their relative importance. In fact, we have included shorter notes on broad-scale alleged attacks about which there is a lot of online open-source reporting and longer notes on alleged attacks where there is less available or more disparate reporting, such as the Sellafield case study.
2016–2017 – APT15 (Ke3chang) attack targeting UK Government provider, per NCC Group
In March 2018, NCC Group, a major UK-based cybersecurity company, announced that:
“In May 2017, NCC Group’s Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.
“APT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon.
“A number of sensitive documents were stolen by the attackers during the incident and we believe APT15 was targeting information related to UK government departments and military technology.”
UKCT continues to search for more information about this incident.
Sources:
https://web.archive.org/web/20180312135223/https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ or https://www.nccgroup.com/uk/research-blog/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
2016–2018 – Operation Cloud Hopper (APT10), per UK and allies
On December 20, 2018, the UK government, alongside other allies, publicly accused APT10 of a sustained hacking campaign since at least 2016, perhaps starting as early as 2014. They referred to this as operation Cloud Hopper:
“The UK’s National Cyber Security Centre assesses that APT 10 was almost certainly responsible for a campaign of activity against global Managed Service Providers (MSPs) since at least 2016, widely known as Cloud Hopper.”
The NCSC and Foreign & Commonwealth Office (FCO) explicitly tied these attacks to the Chinese government, referring to the claims as “the first time that the UK government has publicly named elements of the Chinese government as being responsible for a cyber campaign.” This was a significant moment.
Sources:
https://www.gov.uk/government/news/uk-and-allies-reveal-global-scale-of-chinese-cyber-campaign
https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
https://en.wikipedia.org/wiki/Red_Apollo
https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-report-april-2021.pdf
2020 – COVID hacks, per WIRED
According to a WIRED article published in July 2020:
“As coronavirus tore through Europe in March and April, so did hackers acting on behalf of the Chinese government. Looking to make the most of organisations scrambling to respond to the health crisis, criminals working for China attacked private companies, research institutions, and governments across the world.
“State-sponsored actors working on behalf of the Chinese government and its security services have tried to “profit from the crisis” and steal information that could be beneficial to the country, a senior Western security source says. These include attacks on a major social care company in the UK.”
WIRED reported that this attack had been attributed to APT41, which has been tied to the targeting of healthcare infrastructure. As previously noted, APT41 has been known to exploit flaws in Citrix, a cloud computing and virtualisation company used across the NHS. It seems likely that this is how said social care company was hacked.
In November 2020, the Guardian published an article discussing PRC hacks of COVID-19 vaccination research programs looking to steal vaccine secrets in “an intellectual property war” – matching claims that much of China’s economic and cyber espionage is dedicated to the theft of intellectual property from western companies.
https://www.wired.com/story/china-coronavirus-hacking-uk-us
https://www.hhs.gov/sites/default/files/apt41-citrix-and-zoho-attacks-on-healthcare.pdf
https://www.theguardian.com/world/2020/nov/22/hackers-try-to-steal-covid-vaccine-secrets-in-intellectual-property-war
https://www.bbc.co.uk/news/world-us-canada-53493028
2020 – EasyJet, per EasyJet and other sources
In May 2020, EasyJet admitted to the British Broadcasting Corporation (BBC) that it had been hacked by a “highly sophisticated attacker”. Apparently, email addresses and travel details of over nine million customers were compromised, including 2,208 customers whose card details were accessed – including CVV numbers. Both Reuters and The Telegraph cited sources with knowledge of the investigation into the hack in attributing PRC-affiliated hackers, though both fail to name a specific APT.
It should be noted that in 2018, British Airways also suffered a massive data breach, through a compromised Citrix login. However, this has never been publicly attributed to the PRC.
Sources:
https://www.bbc.co.uk/news/technology-52722626
https://www.telegraph.co.uk/technology/2020/05/19/easyjet-hit-highly-sophisticated-cyber-attack
https://www.reuters.com/article/easyjet-cyber-china/chinese-hackers-seen-behind-cyberattack-on-easyjet-sources-idUSL8N2D14MA
https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf
March 2021 – Microsoft Exchange Servers, per Microsoft
In March 2021, Microsoft announced that it had detected new ‘zero-day’ (meaning a new kind of attack not seen before) attacks on Microsoft Exchange Server (MES), whereby PRC affiliated hackers targeted over a quarter of a million users worldwide, including those of over seventy organisations based in the UK. MES provides email and calendar software.
Both the Microsoft Threat Intelligence Centre (MSTIC) and NCSC assess that the hack was perpetrated by HAFNIUM, which has previously been linked to the Ministry of State Security (MSS, China’s top intelligence and security agency).
According to MSTIC, “HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs” – typically looking to exfiltrate data. The NCSC supported this saying, “the attack was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property.”
Sources:
https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers
https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking
https://www.theguardian.com/world/2021/jul/19/uk-allies-accuse-chinese-state-backed-group-microsoft-hack
August-October 2021 – Electoral Commission + UK politicians, per UK government
In August 2023, the Electoral Commission published a notification saying that between August 2021 and October 2022, an unknown actor gained access to the British Electoral register, the Commission’s email and data systems, and the personal information of over forty million registered voters. The Commission has said the hack had not “affected the rights or access to the democratic process of any individual, nor has it affected electoral registration,” but suggested voters should remain vigilant for the unauthorised disclosure of their personal information.
In March 2024 then-Deputy Prime Minister Oliver Dowden made a speech to the House of Commons in which he attributed the attacks to PRC-affiliated hackers. Shortly after, the US Treasury and British Government imposed sanctions on China-based “Wuhan Xiaoruizhi Science and Technology Company” and a number of individuals tied to it, who are believed to be members of the MSS, and behind APT31.
Also in 2021, APT31 ran an unsuccessful spear-phishing campaign against CCP-critical Members of Parliament – though this was detected by Parliament’s cyber-security measures and subsequently prevented.
Sources:
https://www.electoralcommission.org.uk/privacy-policy/public-notification-cyber-attack-electoral-commission-systems
https://hansard.parliament.uk/Lords/2024-03-26/debates/3C165BE7-0897-48E9-9D3A-AE9F88F84CF6/CybersecurityAndUKDemocracy (Details on EC hack and Parliamentary hack).
https://home.treasury.gov/news/press-releases/jy2205
https://www.theguardian.com/technology/2023/aug/08/uk-electoral-commission-registers-targeted-by-hostile-hackers
https://rewardsforjustice.net/rewards/apt31-wuhan-xiaoruizhi-science-technology-company-ltd/ (Info on “Wuhan Xiaoruizhi Science and Technology Company”)
https://web.archive.org/web/20230601185650/https://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company/ This and other pages on the ‘Intrusion Truth’ website contain remarkable research (apparently a combination of intelligence tips and open-source research) about Wuhan Xiaoruizhi.
2021 – Flax Typhoon, per UK and allies
On September 18, 2024, the UK NCSC published an advisory alongside the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) of the United States, the Australian Signals Directorate (ASD), Canada’s Communications Security Establishment (CSE), and New Zealand NCSC, in which it exposed a botnet of over 260,000 connected devices (8,500 based in the UK), operated by the PRC through Beijing-based company Integrity Technology Group. According to the advisory, the botnet – identified as “Flax Typhoon” by cyber security companies – has been active since 2021, with victim devices having been observed in North America, South America, Europe, Africa, Southeast Asia, and Australia.
Sources:
https://www.ncsc.gov.uk/news/ncsc-and-partners-issue-advice-to-counter-china-linked-campaign-targeting-thousands-of-devices
https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
February 2022 – News Corp, per UK media
In February 2022, it was reported that journalists working for News Corp (which includes The Times of London, the New York Post, Wall Street Journal and others) had had their email accounts hacked, and that “some data was taken”. The breach was reportedly discovered in January. A cybersecurity company, Mandiant, that was hired to investigate told News Corp that the attackers were linked to China and were “likely involved in espionage activities to collect intelligence to benefit China’s interests”.
Sources:
https://www.reuters.com/business/media-telecom/news-corp-says-one-its-network-systems-targeted-by-cyberattack-2022-02-04
https://www.thetimes.com/article/the-times-and-sunday-times-hack-linked-to-china-mmlp0cg9h
https://www.theguardian.com/media/2022/feb/04/new-corp-hack-murdoch-media-firm-believes-hackers-links-china
May 2024 – Shared Services Connected Ltd, per UK media
In early 2024, media reports emerged suggesting that Shared Services Connected Ltd, a cybersecurity contractor for the Ministry of Defence (MoD), had been hacked – exposing the payroll records of upwards of 270,000 service personnel. Government ministers avoided directly implicating PRC in the hack. Most media outlets support the idea that it was China – however, the specific threat actor has not been named.
According to the Guardian, SSCL potentially knew about the hack in February, only weeks before earning a £500,000 cyber security contract with the MoD. Besides that, there are few details in the public domain.
Sources:
https://www.bbc.co.uk/news/uk-68966497
https://www.theguardian.com/technology/article/2024/may/06/uk-military-personnels-data-hacked-in-mod-payroll-breach
https://news.sky.com/story/china-hacked-ministry-of-defence-sky-news-learns-13130757
https://www.chathamhouse.org/2024/05/mod-data-breach-shows-supply-chain-security-continues-be-top-priority
https://www.gov.uk/government/speeches/defence-secretary-oral-statement-to-provide-a-defence-personnel-update-07-may-2024
https://www.gov.uk/guidance/advice-on-the-armed-forces-pay-network-compromise
July 2024 – APT41 attack, per Google
On July 18, 2024, Mandiant (a subsidiary of Google) published a threat advisory for APT41 – a threat actor previously tied to the Chinese MSS. Whilst little detail is given on the specific companies affected, the report does claim that APT41:
“… successfully [compromised] multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom.”
No further details are given, but we can infer from APT41’s modus operandi (the targeting of healthcare providers, exploiting flaws in widely used software such as Citrix and Zoho) that this might refer to other hacks on this list. Still, without verification, we cannot be sure Mandiant is not referring to a new and separate APT41 instance.
Sources:
https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
https://www.hhs.gov/sites/default/files/apt41-citrix-and-zoho-attacks-on-healthcare.pdf
https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf
*
Two more attacks around which there is some doubt are listed below:
2014 – Genomics England, unconfirmed
Genomics England was founded in 2013 by the UK’s Department of Health and Social Care to lead a pioneering genomic sequencing project. It has since partnered with the National Health Service (NHS) to found the National Genomic Research Library, the Newborn Genomes Programme, and other cutting-edge genomic research projects. Genomics England is a key part of the government’s Genome UK strategy.
In 2023, during a debate about genomics and national security in the House of Commons, George Freeman – then Minister of State for Science, Innovation and Technology – said the following:
“[Beijing Genomics Institute, BGI, a Chinese company] is clearly one of those danger points in the ecosystem. I share with the House the fact that, in 2014, I was wheeled out to give a speech on the occasion of the visit of President Xi to the Guildhall. When President Xi and then Prime Minister Cameron were wheeled in, I was speaking to around 1,000 Chinese delegates about Genomics England. I had been prepared to pay tribute to the work of BGI when my officials pointed out that at that point Genomics England was suffering several hack attacks from BGI each week. That was a wake-up call for all of us.”
The Minister later corrected the record, saying: “There is no evidence of attempted hacking of Genomics England in 2014 from BGI”.
Whilst there is no publicly available data to support Freeman’s initial claim, there is a pool of research suggesting that China aims to collect genomic data from around the world. In 2021, the US National Counterintelligence and Security Centre published a report on the PRC’s efforts in this area, and in 2023, the Washington Post published a long article on China’s “quest for human genetic data” and a DNA arms race – validating the idea of PRC-affiliated hackers targeting databases like those of Genomics England, which is one of the world’s most significant databases.
Sources:
https://www.genomicsengland.co.uk/about-us
https://www.gov.uk/government/publications/genome-uk-the-future-of-healthcare
https://hansard.parliament.uk/commons/2023-03-08/debates/3F7E5903-596F-492A-B130-A4503928CA7F/GenomicsAndNationalSecurity
https://hansard.parliament.uk/commons/2023-03-14/debates/CFF9C56F-28F6-410E-B8E3-578DC0CE83CD/ScienceInnovationAndTechnology#5MC
https://questions-statements.parliament.uk/written-questions/detail/2023-03-09/hl6289
https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/NCSC_China_Genomics_Fact_Sheet_2021revision20210203.pdf
https://www.washingtonpost.com/world/interactive/2023/china-dna-sequencing-bgi-covid
2015 – Sellafield, unconfirmed
Sellafield is a nuclear waste processing and nuclear decommissioning site in Cumbria, owned by the UK’s Nuclear Decommissioning Authority (NDA) and “managing more radioactive waste in one place than any other nuclear facility in the world.”
In December 2023, the Guardian published an article alleging Sellafield had found signs of cyber intrusion in 2015 but had failed to report it to regulators for “several years”. Citing anonymous sources, they suggest the plant had been hacked by “cyber groups closely linked to Russia and China” – though they do not name a specific threat actor. The Guardian also reported:
“Before publication of news of the hack, Sellafield and the ONR declined to answer a number of specific questions or say if Sellafield networks had been compromised by groups linked to Russia and China. After publication, they said they had no records to suggest Sellafield’s networks had been successfully attacked by state actors in the way the Guardian described.”
In June 2024, it was reported that Sellafield Ltd (owned by the NDA), which manages the site, had pleaded guilty to several charges under the Nuclear Industries Security Regulations 2003, namely:
- Failing to comply with their approved security plan by not arranging for annual health checks to be undertaken of their information technology systems by an authorized check scheme tester.
- Failing to comply with their approved security plan by not arranging for annual health checks to be undertaken of their operational technology systems by an authorized check scheme tester.
- Failing to comply with their approved security plan by failing to ensure that there was adequate protection of Sensitive Nuclear Information on their information technology network.
In October 2024, at the Westminster Magistrates’ Court, Sellafield Ltd was fined £332,500 for these breaches, which the Office for Nuclear Regulation (ONR) described as relating to “management of the security around its information technology systems between 2019 to 2023…” Addressing the media at the time of the plea, Sellafield categorically denied ever having been hacked. The ONR and UK government have also since issued such denials.
Context: In September 2020, the NCSC and international partner agencies published an advisory warning of PRC involvement in the targeting of critical national infrastructure, specifically discussing the ability for an attacker to “live off the land” and evade detection long-term, in much the same way as demonstrated in the hack of Sellafield. They attribute this to Advanced Persistent Threat group (APT) 40, or Volt Typhoon, who more recently were tied to hacks of critical US communications infrastructure in the Pacific – which the FBI believes was intended as preparations for hot war. Of course, APT40’s role in the Sellafield hack is unconfirmed.
Sources:
https://www.onr.org.uk/our-work/what-we-regulate/sellafield-decommissioning-fuel-and-waste/sellafield
https://www.theguardian.com/business/2023/dec/04/sellafield-nuclear-site-hacked-groups-russia-china
https://www.theguardian.com/environment/2023/dec/05/ministers-pressed-by-labour-over-cyber-attack-at-sellafield-by-foreign-groups
https://therecord.media/sellafield-guilty-plea-uk-nuclear-facility-cybersecurity
https://therecord.media/sellafield-nuclear-site-cybersecurity-failings-fine
https://www.onr.org.uk/news/all-news/2024/10/sellafield-ltd-fined-332-500-for-cyber-security-shortfalls
https://www.bbc.co.uk/news/technology-68675500
https://www.ncsc.gov.uk/news/ncsc-joins-partners-to-issue-warning-about-chinese-cyber-activity-targeting-cni
https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
https://twitter.com/samdunningo/status/1731994395094966761
February 2024 – i-SOON vulnerabilities, per i-SOON leaks
In February 2024, documents allegedly leaked from i-SOON, a Chinese cybersecurity company, detailed planned attacks on various UK entities.
Within the leaks, cybersecurity analysts found details of several hacking attempts targeting the UK. According to the BBC, chat logs from the leaks suggest that Chinese hackers had access to a Foreign Office vulnerability, and that while i-SOON have not acted on it, “a rival contractor has been awarded the work.” The British Treasury, Chatham House, and Amnesty International were also named as targets, though there is no public evidence to suggest any attempts took place or were successful.
Sources:
https://www.bbc.co.uk/news/technology-68372568
https://www.recordedfuture.com/research/attributing-i-soon-private-contractor-linked-chinese-state-sponsored-groups