UK ‘turning up to a gunfight with a wooden spoon’ over China cyber-attacks

Stewart McDonald, an SNP MP who is among those subjected to “harassment, impersonation, and attempted hacking” from China, said ministers had their heads in the sand.

Beijing has been publicly blamed for targeting the Electoral Commission and also being behind a campaign of online “reconnaissance” aimed at the email accounts of MPs and peers.

A front company, Wuhan Xiaoruizhi Science and Technology Company, and two individuals, Zhao Guangzong and Ni Gaobin, linked to the APT31 hacking group have been sanctioned in response to the malicious cyber activity against the parliamentarians.

Foreign Secretary Lord Cameron said the actions were “completely unacceptable” and he had raised the issue with his Chinese counterpart Wang Yi. The Chinese ambassador has also been summoned to the Foreign Office to account for his country’s actions.

Deputy Prime Minister Oliver Dowden, who announced the measures in a Commons statement, said: “The UK will not tolerate malicious cyber activity targeting our democratic institutions.”

But Mr McDonald said: “The Deputy Prime Minister has turned up to a gunfight with a wooden spoon. The attack that he stood at the despatch box and announced happened three years ago, but he comes to the House and calls it swift.

“He comes to the House and says he has taken robust action, but … the entity he sanctioned has fewer than 50 employees and a turnover of £250,000-a-year. He hasn’t sanctioned a single Chinese state official.”

Former Tory leader Sir Iain Duncan Smith told the Commons: “Whilst I welcome these two sanctions from the Government, it is a little bit, this statement, like an elephant giving birth to a mouse.”

Earlier, both men took part in a press conference as part of the Inter-Parliamentary Alliance on China. They said they had been “subjected to harassment, impersonation, and attempted hacking from China for some time”, alongside other politicians and activists.

Sir Iain said China, North Korea, Russia and Iran form an “axis of totalitarian states”, adding: “The West has to wake up to the fact that this is a challenge to the very way that we live our lives – to our belief in democracy, human rights, freedom of expression, freedom of worship. These are the things that we hold dear.”

He called for China to be labelled as a “threat” by the Government, rather than an “epoch-defining systemic challenge”.

Meanwhile, Mr McDonald warned that universities in Scotland are “massively overdependent on money that comes from the Chinese state”.

The Electoral Commission attack was identified in October 2022 but the hackers had been able to access the commission’s systems containing the details of tens of millions of voters for more than a year by that point. The registers held at the time of the cyber attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

The National Cyber Security Centre (NCSC), part of GCHQ, said it was likely that Chinese state-affiliated hackers stole emails and data from the electoral register. This, in combination with other data sources, was highly likely to have been used by Beijing’s intelligence services for large-scale espionage and transnational repression of perceived dissidents and critics based in the UK. There is no suggestion the hack had any impact on the largely paper-based UK electoral system.

John Pullinger, chair of the Electoral Commission, said the announcement “demonstrates the international threats facing the UK’s democratic process and its institutions” but insisted the attack had “not had an impact on the security of UK elections”.

The separate campaign against MPs and peers in 2021 was almost certainly carried out by APT31, officials said, with the majority of those targeted being prominent critics of the Chinese government. Parliament’s security department identified and mitigated the cyber campaign before any accounts could be compromised, the NCSC said.

Lord Cameron said: “It is completely unacceptable that China state-affiliated organisations and individuals have targeted our democratic institutions and political processes. While these attempts to interfere with UK democracy have not been successful, we will remain vigilant and resilient to the threats we face.”

The UK acted with support from allies in the Five Eyes intelligence-sharing partnership, which also includes the US, Canada, Australia and New Zealand, in identifying the Chinese-linked cyber campaigns.

Mr Dowden said: “I hope this statement helps to build wider awareness of how politicians and those involved in our democratic processes around the world are being targeted by state-sponsored cyber operations.”

The Chinese government strongly denied that it had carried out, supported or encouraged cyber attacks on the UK, describing the claims as “completely fabricated and malicious slanders”.

A spokesperson for China’s embassy in London said: “China has always firmly fought all forms of cyber attacks according to law. China does not encourage, support or condone cyber attacks. At the same time, we oppose the politicisation of cyber security issues and the baseless denigration of other countries without factual evidence.

“We urge the relevant parties to stop spreading false information and stop their self-staged, anti-China political farce.”

With local elections in May and a general election later this year, the NCSC has updated advice for political organisations including parties and thinktanks to reduce the risk of cyber attacks. Home Secretary James Cleverly insisted the upcoming elections were “robust and secure”.

NCSC director of operations Paul Chichester said: “The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behaviour we are seeing from China state-affiliated actors against the UK and around the world. The targeting of our democratic system is unacceptable and the NCSC will continue to call out cyber actors who pose a threat to the institutions and values that underpin our society.”

The APT31-linked front organisation and individuals will be hit with an asset freeze and travel ban under the sanctions regime.