The UK government has accused China of hacking the UK Electoral Commission, gaining access to information about millions of voters.
In the aftermath of the incident, the UK and US governments have sanctioned a company that is a front for the Chinese Ministry of State Security (MSS), Wuhan Xiaoruizhi Science and Technology, and affiliated individuals for their involvement in the breach and for placing malware in critical infrastructure.
The UK and many other countries have growing concerns over cyber operations that target national security, technological innovation and economic interests. China has been linked to state-sponsored cyber espionage activities for some time. Targets have included foreign governments, businesses and critical infrastructure.
While China is not inherently a threat to the UK, the two countries have a complex relationship that is characterised by both cooperation and competition. China has economic influence over the UK and the two compete on innovation. But China’s military ambitions, human rights record and reputation for covert influence campaigns require careful diplomatic and strategic management.
It’s not clear what precisely motivated the attack on the Electoral Commission but such attacks are generally linked to various strategic interests. States may target foreign electoral organisations with the aim of influencing election results or more generally to undermine democratic processes, including by damaging trust among voters. They may seek leverage with whatever information they gather, either economically or in terms of global positioning.
These activities are not unique to China. In a deeply connected and increasingly digitised world, many states are strategically motivated to engage in subterfuge of this kind.
How this kind of attack works
The US Cybersecurity and Infrastructure Security Agency (CISA) has already detailed the methods deployed by affiliates of the MSS in their cyber espionage. They systematically exploit vulnerabilities in software and systems, penetrating federal government networks and commercial entities.
Their approach demonstrates a deep understanding of cyber warfare and intelligence gathering and a high level of expertise. It’s clear that significant resources have been put at their disposal.
Central to their strategy is the active exploitation of vulnerabilities. They meticulously search for and take advantage of weaknesses across target systems and software. By identifying these security gaps, they manage to bypass protective measures and infiltrate sensitive environments, aiming to access and extract valuable information.
In gathering intelligence, these operatives scour publicly available sources – including the media and public government reports – to accumulate critical data on their targets. This could range from specifics about an organisation’s IT infrastructure and employee details to potential security lapses. Such intelligence lays the groundwork for highly targeted and effective cyberattacks.
Meanwhile, they scan for vulnerabilities in the system itself, uncovering essential details like open ports and the services running on them. This will include any software that may be ripe for exploitation due to known vulnerabilities.
The operatives then leverage all this information to gain unauthorised access. They exploit system flaws to induce unexpected behaviours, allowing for the installation of malware, data theft and system control.
The ultimate aim of these operations is the exfiltration of data, such as the names and addresses of British voters in the case of the Electoral Commission. They illicitly copy, transfer, or retrieve data from compromised systems, targeting personal information, intellectual property and government or commercial secrets.
The pencil is mightier than the keyboard
It was known by August 2023 that the Electoral Commission had come under attack but the suspects have only now been named publicly.
Despite the breach, the Electoral Commission claims that the core elements of the UK’s electoral process remain secure and that there will be “no impact” on the security of elections. This is in part because so much of the British system is paper based. People are processed by hand when they go to a polling station on election day, they use pencil and a paper ballot to vote, and their votes are counted by hand.
These factors make it very difficult to influence the outcome of a British election via a cyberattack, unlike in countries that use electronic voting machines or automated vote counting. Paper ballots and records, being tangible and physically countable, provide a verifiable trail. So even in the event of a cyber intrusion, the fundamental act of casting and counting votes remains untainted by digital vulnerabilities.
Stronger systems are still needed
The attack nevertheless raises questions about the effectiveness of existing monitoring and logging systems for detecting data breaches. The attack accessed not only the electoral registers but also the commission’s email and control systems. The data potentially accessed included UK citizens’ full names, email addresses, home addresses and phone numbers.
Nor is the commission the only target in the British political system. The National Cyber Security Centre (NCSC) assesses with a high degree of certainty that APT31, an advanced persistent threat group affiliated with the Chinese state, has engaged in reconnaissance activities targeting UK parliamentarians.
To secure its elections from cyber threats like those from APT31, the UK government is already improving the overall resilience of its elections cyberinfrastructure. It is working closely with the NCSC to identify threats and emerging trends. These efforts are likely to include regular security audits, penetration testing and the adoption of secure software development practices to ensure that systems are robust.
What’s perhaps most significant in the case of the Electoral Commission hack, however, is the fact that the UK government has called China out so explicitly. This is a strategy decided on with allies as a way of holding perpetrators more accountable.
Publicly attributing cyber attacks to specific state actors or groups sends a clear message that such activities are being monitored and will not go unchallenged. This strategy of transparency and accountability is pivotal in establishing international norms and expectations for state behaviour in cyberspace.