The timely reminder of a hack attack
News that the Chinese APT 40 cyber-hacking unit penetrated parliamentary internet networks in 2021 has renewed concerns about the People’s Republic of China’s (PRC’s) malign intentions in Aotearoa. But is the hack that significant given the length of time that has passed since its discovery and the lack of sensitivity of the information that was accessed?
The hack is unsurprising given New Zealand is a Five Eyes partner, and parliamentary services and the parliament counsel’s office handle sensitive information as a matter of course. Given that China is a main focus of Five Eyes signals intelligence collection, it would be remiss for APT 40 to ignore potential avenues of exploitation when it comes to obtaining political or security-related intelligence in New Zealand. That is part of their mission.
It is reassuring that the GCSB National Cyber Security Centre (NCSC) discovered the hack and found no strategically important or sensitive information was breached. That does not mean that this will be the last time APT 40, or some other unit will attempt to breach New Zealand government and private cyber defences. That is what they do, and because New Zealand has in the past been seen as the Achilles heel of the Five Eyes network due to traditionally poor cyber security practices, it will likely do so again.
This is an ongoing problem that the NCSC was created to address, but the offence-versus-defence dynamic inherent in cyber espionage and warfare is still in play and will continue to be so.
Some have suggested that New Zealand impose sanctions on the PRC in response to the 2021 cyber intrusion. However, sanctions would be counter-productive.
First, because it would be akin to poking a tiger and invite disproportionate retaliation over what is a relatively minor transgression in the broader scheme of things.
Secondly, these type of breaches are usually handled quietly so that the offending party is not completely sure of how and why they were thwarted or countered. In other words, the GCSB does not show its hand when it comes to its counter-hacking capabilities.
That the breach occurred in 2021 and only has been acknowledged now indicates that the GCSB feels that enough time has elapsed for operational security concerns to be ameliorated and a “fair warning” issued to the hackers that they are being identified, traced and countered. So there is no need for an inevitably damaging public stoush.
The timing of the GCSB announcement about the 2021 hack is also coincident with the US publishing the identities of APT 40 hackers targeting US infrastructure, and Australia and the UK warning of their political interference efforts in strong terms, with particular focus in the UK and US on compromises to voting systems in election years.
The timing of the announcements about PRC hacking efforts therefore seems to be a Five Eyes-coordinated shot across the bow that gives warning to APT 40 and their counterparts that the times of easy access to critical data infrastructure, even if indirectly and even in New Zealand, are over. That remains to be seen, because if nothing else the PRC hacking community is ingenious, well resourced and persistent. For them, this is part of the PRC’s ascent to having a multi-dimensional, multi-domainwarfare capability on its way to achieving superpower status. As part of Five Eyes, New Zealand is standing in the way of that goal (albeit in a small way).
Ultimately the revelations about APT 40’s work in New Zealand are a reminder against cyber complacency at home and at work, be it in the public or private sectors. So long as New Zealand is a member of the Five Eyes network and the PRC is an adversary and target of that network, APT and other PRC intelligence units will be hard at work seeking to discover and exploit any potential avenues of opportunity in New Zealand cyber-space.
It may be in that in the past “loose lips sunk ships”, but in the contemporary era all keystrokes, TikToks and Instas are also grist for the cyber mill — and exploitable as such.