Prime minister Christopher Luxon said it was the first time New Zealand had publicly accused China of ‘malicious cyber-attacks on our democratic institutions’. The breach was confirmed by the GCSB on Tuesday. Photo: Mark Baker/AP
A Chinese state-backed group targeted New Zealand government services in a cyber attack in 2021, New Zealand’s intelligence agency said.
The government and intelligence agency – the Government Communications Security Bureau (GCSB) – confirmed the breach on Tuesday after the UK and US accused China of similar attacks.
“This is the first time we have attributed malicious state-sponsored cyber activity to the People’s Republic of China, to affect New Zealand government systems,” GCSB director Andrew Clark said.
Related: US sanctions hackers to target critical infrastructure for the Chinese spy agency
In August 2021, the GCSB’s cyber security center became aware of malicious activity affecting the parliamentary counsel’s office and the parliamentary service, Clark said. The center discovered that the network was compromised and after a thorough investigation was able to “confidently link” the attack to China, specifically the Ministry of state security and a group of is called Advanced Persistent Threat 40, or APT40.
“This link is reinforced by analysis by international partners of similar events in their own jurisdictions,” Clark said.
Some data was taken during the cyber attack, but none was considered sensitive or strategic, he said.
The Guardian has contacted the Chinese embassy in Wellington for comment.
Speaking to the media on Tuesday, prime minister Christopher Luxon said New Zealand has “a long-standing, complicated relationship with China”, but said the two countries have differences “and we call that when we can”.
“We are calling out where we see malicious cyber activity from any state that attacks our democratic institutions,” Luxon said.
“This is a first for New Zealand – publicly attributing malicious cyber activity to our democratic institutions in China. It’s a big step for us.”
Other cyber attacks related to APT40 were published in 2021, but those attacks targeted other anonymous networks in New Zealand and Microsoft email servers.
The story continues
Clark said the attacks on parliamentary services had been kept quiet until now to ensure the investigation was thorough, vulnerabilities in the system were fixed, and to compare notes with other international partners.
“We want to be able, as a country, to strengthen the norms of responsible behavior internationally in cyberspace, and it is best to do that in the company of other partners,” he said.
Clark would not speculate on what data China was seeking, but said typically these types of breaches seek to obtain information for strategic advantage, steal intellectual property or facilitate foreign interference.
There were 316 cyber attacks on major New Zealand institutions last year and 23% of those were attributed to state-sponsored actors, Clark said.
New Zealand is highly dependent on China, its largest trading partner. Although the smaller nation has become more vocal in recent years about issues of human rights, the rules-based international order and concerns about a possible militarization of the Pacific, it has tended to be more conciliatory toward China than the other democracies such as Australia, the UK and the USA.
When asked by reporters on Tuesday whether China posed a threat to New Zealand’s democracy, Luxon refrained from specifically naming the country, saying: “many state actors and criminal actors are threats to our institutions, including liberal democracy around the world.”
Luxon did not raise cyber intrusions with Chinese foreign minister Wang Yi during a one-on-one meeting in Wellington last week.
“Officials raised cyber activity with him earlier in the month, but in my brief meeting with him, I didn’t raise this particular incident because it was a very short courtesy call,” Luxon said.
New Zealand will not impose sanctions against China, as the UK and US have done, Luxon said.
New Zealand’s Foreign Minister Winston Peters said: “This type of foreign interference is unacceptable, and we have urged China to refrain from such activity in the future.”
He said concerns about cyber activity attributed to Chinese government-sponsored groups, which have targeted democratic institutions in both New Zealand and the United Kingdom, had been raised with the Chinese ambassador.
In 2019, Australian intelligence determined that China was responsible for a cyber attack on its national parliament and the three largest political parties ahead of the general election but the Australian government has not officially revealed who was behind the attacks.