The European Parliament elections in June are at significant risk from Chinese online activists who already targeted the UK Parliament and its electoral register, cyber experts told Brussels Signal.
The UK attacks are said to have taken place between 2021 and 2022; they were identified by the Electoral Commission in October 2022 but were not disclosed until last year.
Speaking of the incidents, on March 25 UK Deputy Prime Minister Oliver Dowden told Parliament that they demonstrated “a clear and persistent pattern of behaviour that signals hostile intent from China”.
The Chinese hackers sent more than 10,000 emails to government officials and critics of China. The messages included hidden tracking links allowing the senders to observe their targets’ locations and IP addresses. They also accessed data including the names and addresses of all 40 million registered voters on the UK electoral register.
Andrew Jenkinson, chief executive of Cybersec Innovation Partners, told Brussels Signal: “The EU elections will have identical exposed positions,” adding that the “[UK] Electoral Commission remains as exposed today”.
In a November 29 internal review, the European Parliament’s information security department told senior MEPs the body’s cybersecurity measures had “not yet met industry standards” and was “not fully in-line with the threat level” from state-sponsored attacks.
Such attacks on the Parliament and other European Union institutions have, cyber experts say, grown more numerous and sophisticated since the last EU elections in 2019.
Ivana Karásková, of the Central European Digital Media Observatory, said China has circulated disinformation previously to discredit critics and intervene in elections in the Indo-Pacific region.
Dowden ascribed the UK attacks to the so-called APT40 cyber-espionage group, which cyber experts say is affiliated with China’s Ministry of State Security and is based in Haikou on the Chinese island of Hainan in the South China Sea.
APT40 is linked to a company called Hainan Xiandun Technology, directed by the Chinese Ministry of State Security’s Hainan department, according to a US Government cybersecurity advisory department.
As well as targeted attacks on MPs and peers critical of China, there also have also been broader-brush strikes on the UK’s elections infrastructure.
The Electoral Commission said hostile actors had gained access to the electoral registers and broken into its sensitive emails and “control systems” over a period that included six by-elections.
China’s aim appeared to be monitoring and suppressing perceived critics and dissidents based in the UK, said the National Cyber Security Centre, part of the British GCHQ signals intelligence agency.
Chinese hackers from the APT40 group also targeted New Zealand’s Parliament and US politicians, both Governments confirmed.
In light of the cyber incidents, Dowden told the UK Parliament the country would freeze the assets of and impose a travel ban on two Chinese nationals – Zhao Guangzong and Ni Gaobin.
MPs from across the UK’s parties criticised Dowden for the Government response. Alicia Kearns, Conservative Chair of the Foreign Affairs Select Committee, called it “sadly insufficient”.
Sky News political correspondent Jon Craig chipped in: The number of people sanctioned is “two, along with something called APT31, whatever that is”.
Former Conservative prime minister Sir Iain Duncan Smith, among the China critics whom it is said were targeted, described the Government’s statement as: “Like an elephant giving birth to a mouse”.
Other targeted MPs, including former Conservative minister Tim Loughton and the Scottish National Party’s Stewart McDonald, were equally unimpressed by Downing Street’s response.
“We’re going to sanction two people, two pretty lowly officials, and one private company, which employs 50 people,” said Loughton.