Ministry of Defence Data Exposed in China-Linked Cyber Attack

The UK’s Ministry of Defence (MoD) is still reeling following a reportedly China-linked cyber attack that exposed the sensitive data of thousands of British military personnel.

The attack, which is believed to have struck the ministry two or three times over the past three years, targeted a third-party payroll system that stores the details of tens of thousands of British armed forces and veterans.

This payroll system stored the names and bank details of all regular military personnel and reservists, as well as several thousand veterans. A small number of individuals’ addresses was also on the system.

The MoD took immediate action and took the external network, operated by a contractor, offline. The department is still working to understand the scale of the attack, but it does not believe that any sensitive data was stolen during the incident and has urged service people not to be concerned about their safety. 

Still, affected service personnel will be alerted as a precaution and provided with specialist advice. They will also be able to use a personal data protection service to check whether their information is being used or an attempt is being made to use it.

This could raise questions about whether other countries with challenging relationships with China will want to share sensitive intelligence with the UK.

The Cabinet Office, intelligence agencies and private security specialists have been called in to assist with the MoD investigation.

An external contractor has also been commissioned to monitor the internet in case any information has been successfully removed from the contractor’s IT system and is leaked online.

Another Chinese Cyber Attack 

UK Defence Secretary Grant Shapps is expected to make a statement about the cyber attack to MPs on Tuesday. 

He is set to confirm signs that a hostile nation-state was behind the hack, but the UK government is not expected to publicly name China. Sky News, however, has reported that China is the unnamed culprit behind the attack. 

If true, the attack would come just over a month after the government blamed the nation for a cyber attack on the Electoral Commission, which saw over 40 million British citizen’s data exposed in 2021.

In that attack, Deputy Prime Minister Oliver Dowden told the House of Commons two individuals and a company linked to the Chinese state had been sanctioned over attacks on the Electoral Commission.

The same company was also believed to have carried out “reconnaissance” activity against UK parliamentary accounts in a separate campaign in 2021, Mr Dowden said.

At the time, a spokesperson for the Chinese embassy in London said: “The so-called cyber attacks by China against the UK are completely fabricated and malicious slanders.”

Prime Minister Rishi Sunak was urged to “end his naivety” on China after the country was accused of being behind the “malign” cyber attack on the Electoral Commission as well as against 43 MPs and peers.

Echoing the language used in the government’s foreign policy review, Mr Sunak called China “the greatest state-backed” threat to Britain’s economic security.”

“We’ve been very clear that the situation now is that China is behaving in an increasingly assertive way abroad, authoritarian at home and it represents an epoch-defining challenge, and also the greatest state-based threat to our economic security.

“So, it’s right that we take measures to protect ourselves, which is what we are doing.”

State-sponsored cyber attacks hit the UK

The attack on the Ministry of Defence is the latest state-sponsored attack impacting UK security and national infrastructure in recent years.

The MoD was also hit last year by the Russia-linked hacker group Lockbit, who leaked top-secret data belonging Ministry to the dark web following a cyber attack on the security firm Zaun.

The leaked data included thousands of pages of top-secret information that could help criminals compromise UK military and security sites including HMNB Clyde nuclear submarine base, the Porton Down chemical weapon lab and a GCHQ listening post.

“The breach of highly sensitive data from the Ministry of Defence raises significant concerns," said Tim West Director, Threat Intelligence & Outreach at WithSecure.

"Government departments are a prime target of cyber threats every single day. Cybercriminals also know that government data is only as secure as the weakest third-party network that it is processed upon, and this is why they are targeted.

"There are obvious reasons why the Ministry of Defence is an extremely attractive target to any adversarial nation-state. The intelligence value of who, how much and when the UK military makes payments should be fairly clear, particularly as this breach comes at a time where Rishi Sunak has recently pledged a significant increase of defence spending to 2.5%," added West.

'Totally Avoidable'

Simon Bain, data security expert and CEO of OmniIndex, told EM360Tech that the attack on the Ministry of Defence was "totally avoidable."

“Questions have to be answered over why, in 2024, the MoD is still ‘protecting’ the data of service personnel with outdated and frankly obsolete technology that has proven itself time and time again as unfit for purpose."

"Legacy security infrastructure leaves critical information like veterans' names and bank details vulnerable to attack because the data is used in a decrypted state. This means that if the system is accessed through an attack or due to user error, that information is visible and, therefore, exposed."

"In other words, once an attacker is through the doors, everything is up for grabs, and all information is easily accessible."

"This is why I believe this attack was avoidable and why it is crucial that we ask why the MoD and other government departments rely on outdated and frankly obsolete technology to ‘protect’ data when it has proven itself unfit for purpose," Bain said.

China's foreign ministry has denied that China was behind this latest attack, stating that it "firmly opposes and fights all forms of cyber attacks" and "rejects the use of this issue politically to smear other countries".

Chinese President Xi Jinping began a tour of Europe in Paris today, where he met French President Emmanuel Macron.

On his arrival, a group of seven French lawmakers targeted by cyberattacks attributed to Chinese hackers called for a legal investigation by the authorities.