China outright rejects accusation it hacked New Zealand Parliament

Tuesday, 26 March 2024

New Zealand Parliament has been the target of a Chinese state-backed hack alongside the United Kingdom and United States, the Government has confirmed, but China has outright rejected the “groundless and irresponsible accusations”.

A Chinese embassy spokesperson, in a statement issued on Tuesday afternoon, said accusations of China conducting foreign interference were “completely barking up the wrong tree”.

“We reject outright such groundless and irresponsible accusations and have lodged serious démarches [diplomatic protests] to New Zealand’s relevant authorities, expressing strong dissatisfaction and resolute opposition.

“China is a major victim of cyberattacks … We have never, nor will we in the future, interfere in the internal affairs of other countries, including New Zealand.

“We hope the New Zealand side can practice the letter and spirit of its longstanding and proud independent foreign policy, independently making judgments and decisions in its best interests rather than blindly following other’s words and actions at the expense of New Zealand’s own credibility and interests.”

Prime Minister Christopher Luxon and Intelligence Agencies Minister Judith Collins joined the US and UK in making public Chinese state-backed hacking attempts on democratic institutions on Tuesday, and the GCSB confirmed that Parliamentary Service and the Parliamentary Counsel Office were subjects of the 2021 attack.

“We believe very strongly in the values of our democracy and, rather than just believing in them, when we actually see them being under attack, we actually call them out,” Luxon said.

Foreign Minister Winston Peters confirmed on Tuesday afternoon that senior officials at the Ministry of Foreign Affairs and Trade had spoken directly with the Chinese ambassador in Wellington, Wang Xiaolong, to “lay out our position and express our concerns”.

“Foreign interference of this nature is unacceptable, and we have urged China to refrain from such activity in future. New Zealand will continue to speak out – consistently and predictably – where we see concerning behaviours like this,” Peters said.

At a rare press conference for a spy chief, GCSB director-general Andrew Clark said a Chinese group connected to Beijing’s Ministry of State Security had obtained data that was not of a “sensitive or strategic nature” - but instead data of a more technical nature.

But, according to GCSB deputy director Lisa Fong, a “reasonably small” volume of information regarding MPs and their offices was involved. After identifying the intrusion in August 2021, the GCSB worked to “quite quickly” remove the cyber attackers.

Clark said going public on China’s involvement was “the first time that we have attributed state-sponsored malicious cyber activity to the People's Republic of China for intrusion into New Zealand government systems”.

“If I look at what state-sponsored cyber activity has involved over a number of years, it tends to involve trying to gain information for strategic advantage. It involves the theft of intellectual property, it also is sometimes used to facilitate foreign interference in other countries.”

Unlike in the UK, New Zealand’s Electoral Commission had not been affected by cyber attacks.

He said in the past financial year there had been 316 cyber events involving the most nationally significant organisations for New Zealand, 23% of these being attributed to state-sponsored actors, China being a “significant source”.

While GCSB continued to develop new tools to protect networks, “we are not a national firewall”, he said.

“The level of cyber security maturity between different departments and agencies is uneven.

“It is a message that everybody has to bake in cyber-security thinking into everything they do, every day. It is a fact of life now.”

Parliamentary Service chief executive Rafael Gonzalez-Montero declined an interview request but said, in a statement, the organisation had significantly invested in its cyber security since the 2021 attack.

“We have enhanced our prevention and detection systems, provided organisation-wide cyber security awareness training, and implemented more robust processes. We will continue to bolster our capability to retain public confidence and preserve the integrity of Parliaments digital systems.

“While some information was taken as part of the compromise, we addressed the implications at the time. We cannot go into further detail.”

Speaking earlier, Luxon said the Government was very “clear-eyed” about the risk of foreign interference from other states, including China.

But he did not raise the issue when he met Chinese Foreign Minister Wang Yi when the pair met last week. Instead, government officials raised malicious cyber activity with China earlier in the month, he said.

“This is a first and a very big step for New Zealand … Actually, calling it out is important, because being public about it, and putting sunlight on it, and calling it out is actually a very good thing.

Labour leader Chris Hipkins said he was briefed on the attack some time after it occurred and he was “very concerned” about such activity.

“Interference in one country's democratic processes by another country is something that we should be incredibly concerned about.”

He said he did not raise Chinese cyber hacking when he met with Chinese Premier Xi Jinping in 2023.

The GCSB’s Clark said in a statement the organisation’s National Cyber Security Centre (NCSC) became aware of the hack in August 2021, which could be “confidently linked” to a Chinese state-sponsored actor, Advanced Persistent Threat 40. The Government at the time attributed a separate cyber attack to this group.

The directors- general of the Security Intelligence Service (SIS) and GCSB will appear before the Intelligence and Security Committee on Tuesday evening, at which Luxon, Hipkins, and other senior MPs will inquire into the agencies’ performance in the past year.

The US Federal Bureau of Investigation announced it was charging seven Chinese nationals for their part in a 14-year global campaign targeting politicians, journalists, and companies.

In the UK, deputy prime minister Oliver Dowden announced two Chinese nationals working for a state-affiliated group called Advanced Persistent Threat Group 31, and a company, were being sanctioned for a malicious cyber effort targeting MPs and the UK electoral commission.

Collins on Tuesday said New Zealand would not be following suit with sanctions, as the Government lacked the laws to do so and had no intention to legislate for this.

In both the US and UK it was alleged elected officials who were members of the Inter-Parliamentary Alliance on China (IPAC) were targeted by the cyber campaigns. New Zealand MPs have also been part of this group, which monitors and advocates against activities of the Chinese Communist Party (CCP).

Former National Party MP Simon O’Connor, a founding IPAC member in New Zealand, said he was aware of the threat of being targeted by Chinese hacking efforts. But he had received no specific advice from Parliament security or the intelligence agencies about this.

“I’m not aware of being specifically hacked, if I had there would be a huge outcry from me,” he said.

“It would be utterly naive to think New Zealand is not a target.”

Labour MP Ingrid Leary, current co-chairperson of IPAC in New Zealand, said she was alerted by IPAC members of the hacking as soon as it became apparent, and its members already operated as though they were already being surveilled.

“I have not received direct advice from intelligence agencies,” she said. “I do ensure that when I travel anywhere in East Asia that I use burner devices and other secure IT systems, because that is a wise thing for any member of parliament to do but particularly important for those of us who have a public profile around CCP issues.

“It would be naive for New Zealand to think that hackers are not a able to access our data or interfere with our systems, and that is probably something all MPs should be vigilant about.”

University of Canterbury China expert Dr Anne-Marie Brady said the Government’s public statement attributing the attack was a huge step.

“The situation is so serious New Zealand is calling out its major trading partner for cyber attacks.

“That is an indication of a very serious threat environment. The national security situation is such that other concerns are less important than confronting China over its actions.”

Foreign interference and cyber attacks have become a predominant concern for the Government and its intelligence agencies in recent years as competition between countries — particularly China and the US, with its Western partners — has grown more intense.

In 2021, at the time the alleged hacking efforts were occurring, then Intelligence Agencies Minister Andrew Little joined other Five Eyes countries in attributing another cyberattack effort to Advanced Persistent Threat 40. The GCSB had determined the Chinese Ministry of State Security had, in New Zealand and globally, exploited Microsoft Exchange email service.

The Post has reported one of few known cases of a New Zealander alleged to be aiding the Chinese government by providing it privileged information. Yuan Jason Zhao, a senior analyst for the Public Service Commission, was accused of being an “insider threat” in 2022, and as of February remained suspended from his job.

Last year, the Government was also considering creating new “foreign interference” crimes to better prosecute foreign agents as part of a broader effort to harden New Zealand policy to the threat. However, under the new National-coalition Government the status of this work remains uncertain, as does the Government’s response to recommendations to improve the legislation which provides the intelligence agencies their spying powers.