This publication is licensed under the terms of the Creative Commons Attribution License 4.0 which permits unrestricted use, provided the original author and source are credited.
Introduction
It has been widely reported that the UK Ministry of Defence (MoD) has suffered a serious, large-scale data breach attack from suspected Chinese Communist Party (CCP)-backed hackers. This article aims to put this attack in context and explore possible consequences for UK national security.
At the time of writing, verified details of the attack are scarce. It is important to keep in mind that the MoD is a highly complex organisation and faces unique challenges, threats and pressures.
The following organisational factors must be considered when assessing the potential impact and consequences of cyber attacks targeting the MoD:
- The technology landscape within the MoD is highly complex. Just in terms of communications, the MoD operates a wide range of high-end technology systems including sophisticated encrypted satellite communications systems, electronic surveillance and jamming systems, specialised secure radio networks, and secure underwater communications systems. These systems operate alongside large enterprise networks based on commercial off the shelf (COTS) hardware and software.
- MoD personnel and operations are globally distributed, operating in space, sea, land, air and cyber environments at various levels of classifications and security regimes, often in congested and contested environments.
- MoD workforce demographics and dynamics are complex, with huge training and development requirements, performance and conduct management, split across different armed services and civilians.
- The MoD is supported by global supply chains spanning commercial off the shelf products and services, through to specialised, accredited, secure suppliers and contractors.
- The MoD is constantly balancing demands for transformation and advancement against the need to sustain capabilities and maintain long-standing legacy systems, services and processes.
- The MoD has suffered past breaches, both ‘own goal’ breaches and the result of external attacks.
A ‘best possible ground truth’ account of the attack is unlikely to emerge for some time. Even when such a detailed investigation is complete, it is possible that only a redacted version will be released to the public.
Calm judgement needs to be exercised to avoid panic, overreaction, rash conclusions or reactive policy responses.
The Attack in Context
Our starting point is to accept widely reported information about the attack as accurate, specifically that a suspected Chinese Communist Party (CCP)-backed threat actor attacked a MoD supplier, targeting a MoD-wide payroll system resulting in the potential theft of sensitive personal data of military personnel and civilian staff.
At the time of writing (9 May 2024), details on ‘when, where and how’ have yet to be revealed. Attempts to exfiltrate data suggest strategic advantage as a primary motivation, however the motivation of financial gain (i.e. to sell data on the black market) cannot be ruled out.
Regrettably we can look to our US allies to understand the strategic ramifications of bulk loss of detailed, sensitive personal data. A series of high-profile data breaches have taken place over the past decade across the US Government and private sector.
CCP-backed hackers have been linked to the theft of hundreds of millions of customer records from Marriott International, the credit agency Equifax, the health insurer Anthem (now known as Elevance Health), and more than 20 million personnel files on current and former U.S. government workers and their families from the Office of Personnel Management (OPM).
As serious as these data theft attacks are, they are just one strand of the CCP’s anti-US efforts. Chinese state institutions are recruiting intelligence agents in the US, attacking US critical national infrastructure, leveraging CCP-backed media propaganda and anti-US online influence campaigns, and promoting CCP objectives through educational and cultural institutions and intimidation of Chinese diaspora. This is all in an attempt to undermine regional partnerships and alliances to displace US influence in the Asia Pacific region and beyond.
It is important to note that Chinese state organisations - including the Chinese military - operate in service of the CCP, rather than the Chinese nation or people. These organisations are inherently political, and dedicated to the survival of the CCP and advancement of Party goals.
The impact on US national security and intelligence capability has been severe and enduring. Substantial open-source material illustrates the success that the CCP’s protracted campaign of data theft has had against the US. CCP-backed hacking groups have successfully stolen sensitive technology, military plans, blueprints and trade secrets, coupled with vast volumes of sensitive data on the entire American population.
Over the past decade or more, CCP-backed hackers have stolen everything from fingerprint and biometric data, healthcare records and DNA data, financial (bank, credit and tax) data, travel and passport data, through to Government security clearance data, commercial retail, internet browsing, social media, telephony and smart device location and metadata. In 2021, the US Government stated that an estimated 80% of American adults have had all of their personally identifiable information stolen by the CCP - a sobering statistic that has likely only worsened since then.
National Security Implications
Commentators have suggested that while the loss of data is substantial and far-reaching, the Chinese state has historically lacked the ability to fully analyse these huge volumes of data and therefore its strategic value was limited. While this may once have been true, the CCP has achieved significant recent success in the development of the powerful analytical tools required to process, analyse and exploit such data troves.
The CCP’s ability to discover, track and disrupt US intelligence operations within its borders has led to the country being labelled as a “hard target”, alongside North Korea and Russia. Chinese security organisations have demonstrated an ability to leverage such data to identify espionage networks and suspected agents, and overseas intelligence operatives have demonstrated their prowess at using online profiling to conduct widespread targeting for intelligence collection and agent recruitment.
Given these achievements, it is clear that the data stolen from the MoD holds immense value for hostile regimes, including its potential use in:
- Internal security (e.g. border control, visitor screening and visitor tracking and surveillance).
- Human intelligence targeting operations (e.g. to identify personnel related to specific organisations who are likely to be financially or otherwise vulnerable).
- Influence operations & propaganda (e.g. sowing division via public messages on pay discrepancies or improving target audience analysis to develop tailored online content).
In this context of long-running and aggressive attacks amassing huge troves of US citizen data, the attack comes as no surprise. The attack was preceded by the March 2024 statement from the UK Government about the China-backed hack of UK voter records, and ought to be viewed as a small part of a wider sustained campaign; just one attack amongst many that are likely to happen over the coming months and years.
Given the strength of the evidence base, it is no longer paranoid for any organisation - small or large - that holds personal data on UK citizens to consider themselves a likely target for CCP-backed cyber threat actors. These threat actors will continue to seek out any and all personal data from both government and private sector systems. Any form of data that provides insight into individual behaviour, circumstance and preferences is of value, including:
- Healthcare, DNA and medical trial data
- Background checks, screening and credit data
- CVs / resumés, recruitment application data, hiring tests/profiles/evaluation data
- Criminal records and legal data
- Tax, banking and credit data
- Identity data (passports, driving licences, Government ID cards) and biometric data
- Educational and professional records from school, college, university and employer human resources systems
- Travel data (flight, hire car, hotel etc.)
- Telephony location and metadata
- Retail and consumer data
- Internet activity data (advertising, ongoing dating, online gaming etc)
- Personal smart device and internet of things (IoT) data.
Undoubtedly other sources will also be targeted to add to the trove of data from which analytical tools can produce powerful insight into UK citizens, organisations and society.
Conclusion
It is easy to call for a redoubling of efforts to “battle harden” the MoD, its people, infrastructure and supply chain. Such calls do little to help immediate crisis response, and neglect the fact that even where organisations consistently protect themselves they remain vulnerable to unknown exploits and attacks.
We encourage everyone in the public and private sectors to collaborate on the strategic goal of raising the costs - both of mounting such attacks and the consequences of such attacks - against those threat actors attacking our core national security interests and the privacy of our citizens.
The views expressed in this article are those of the author, and do not necessarily represent the views of The Alan Turing Institute or any other organisation.
Sources
MoD cyber security context
Dec 2023, Email CC not BCC Afghan leak - https://www.theregister.com/2023/12/13/mod_bcc_email_fine/
March 2022, Capita-run Defence Recruitment System compromised, https://www.theregister.com/2022/03/24/ministry_of_defence/
Jun 2021, UKSF WhatsApp Spreadsheet leak, https://www.theregister.com/2021/06/02/uk_special_forces_data_breach_whatsapp/
May 2020, MOD Interserve hack - , https://www.theregister.com/2020/05/15/interserve_breach/
The current attack
7th May 2024, China hacked Ministry of Defence, Sky News learns, https://news.sky.com/story/china-hacked-ministry-of-defence-sky-news-learns-13130757
7th May 2024, MoD data breach: State involvement cannot be ruled out in armed forces hack, says Grant Shapps, https://www.bbc.com/news/uk-68967805
7th May 2024, UK armed forces’ personal data hacked in MoD breach, https://www.theguardian.com/technology/article/2024/may/06/uk-military-personnels-data-hacked-in-mod-payroll-breach
7th May 2024, MoD data breach: UK armed forces' personal details accessed in hack, https://www.bbc.com/news/uk-68966497
7th May 2024, China suspected of massive cyberattack on database of UK armed forces personnel, https://www.independent.co.uk/news/uk/home-news/china-mod-uk-hack-data-breach-b2540489.html
7th May 2024, State involvement not ruled out as up to 272,000 personnel hit in data breach, https://www.forces.net/china/personnel-affected-reported-china-hack-mod-payroll-be-alerted
7th May, 2024, Ministry of Defence payroll system hacked, https://www.civilserviceworld.com/professions/article/ministry-of-defence-payroll-system-hacked
7th May 2024, PM declines to name China over armed forces payroll hack, https://www.bbc.com/news/av/uk-politics-68969624
7th May 2024, China Seen as Likely Culprit in UK Defense Ministry Hack, https://www.bloomberg.com/news/articles/2024-05-07/china-seen-as-likely-culprit-in-uk-defense-ministry-cyberattack
7th May 2024, 'Malign actor' hacked UK defence ministry payroll, Sunak says after China reports, https://www.reuters.com/technology/cybersecurity/uk-military-personnels-data-accessed-hack-bbc-reports-2024-05-06/
US and UK data theft, security and intelligence
March 2024, China linked to UK cyber-attacks on voter data, Dowden to say, https://www.bbc.com/news/uk-politics-68652374
March 2024, UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians, https://www.ncsc.gov.uk/news/china-state-affiliated-actors-target-uk-democratic-institutions-parliamentarians
Dec 2023, Chinese Spy Agency Rising to Challenge the CIA, https://www.nytimes.com/2023/12/27/us/politics/china-cia-spy-mss.html
April 2023, How to Spy on China, https://www.foreignaffairs.com/china/how-to-spy-china-beijing-technology-mattis
Jan 2021, China's push to control Americans' health care future, https://www.cbsnews.com/news/biodata-dna-china-collection-60-minutes-2021-01-31/
Dec 2020, China Used Stolen Data To Expose CIA Operatives In Africa And Europe, https://foreignpolicy.com/2020/12/21/china-stolen-us-data-exposed-cia-operatives-spy-networks/
Feb 2020, China's Hacking Spree Will Have a Decades-Long Fallout, https://www.wired.com/story/china-equifax-anthem-marriott-opm-hacks-data/
November 2019, Chinese Communist Espionage: An Intelligence Primer by Peter Mattis & Matthew Brazil. Naval Institute Press; Illustrated edition, https://www.amazon.com/Chinese-Communist-Espionage-Intelligence-Primer/dp/1682473031
May 2017, China's State Media Lauds 'Sweeping Victory' After Beijing Reportedly Catches US Spies, https://www.rfa.org/english/news/china/spies-05232017103737.html
CCP intelligence operations
April 2024, Spycraft and Statecraft: Transforming the CIA for an Age of Competition, https://www.foreignaffairs.com/united-states/cia-spycraft-and-statecraft-william-burns
Dec 2023, American Spies Confront a New, Formidable China, https://www.wsj.com/politics/national-security/american-spies-confront-a-new-formidable-china-5c384370
December 2023, China is stealing AI secrets to turbocharge spying, U.S. says, https://www.wsj.com/tech/ai/china-is-stealing-ai-secrets-to-turbocharge-spying-u-s-says-00413594
December 2018, Looking for China’s spies, https://www.bbc.co.uk/news/resources/idt-sh/Looking_for_Chinas_spies
UK security community assessments and perspectives
March 2024, US, UK Accuse China of Broad Cyberattacks, Voter Data Theft, https://www.bloomberg.com/news/articles/2024-03-25/us-charges-seven-chinese-hackers-with-sweeping-cyberattacks
December 2023, Sir Alex Younger on the Future of Spying, https://www.youtube.com/watch?v=B2jUpgplku
November 2023, NCSC 2023 Annual Review - Threats & Risks, https://www.ncsc.gov.uk/collection/annual-review-2023/threats-risks
July 2023, Head of MI6 warns that China is setting ‘data traps’ for partners, https://therecord.media/china-data-traps-espionage-mi6-richard-moore
May 2023, GCHQ warns of fresh threat from Chinese state-sponsored hackers, https://www.theguardian.com/technology/2023/may/25/experts-warn-against-china-sponsored-cyber-attacks-on-uk-networks
February 2023, UK must wake up to China threat, says ex-MI6 chief Sir Alex Younger, https://www.bbc.com/news/uk-politics-64635179
November 2021, MI6 chief warns of security threat from China ‘miscalculation’, https://www.ft.com/content/eb8afc08-70ea-433c-8f2d-c0c1357461e3
Authors
Citation information
Ant Burke, "MoD Data Breach: What Next?," CETaS Expert Analysis (May 2024).