U.S. and Britain Accuse China of Cyberespionage Campaign

WASHINGTON — The United States and Britain imposed sanctions on China’s elite hacking units Monday, accusing China’s top spy agency of a yearslong effort to place malware in America’s electrical grids, defense systems and other critical infrastructure, and of stealing the voting rolls for 40 million British citizens.

Taken together, the actions on both sides of the Atlantic underscored the escalation of cyberconflict between the Western allies and China, in vastly different spheres.

U.S. intelligence agencies have warned that the malware found in U.S. infrastructure appeared to be intended for use if the United States were coming to the aid of Taiwan. The theory is that Americans would be too tied up worrying about their own supplies of electricity, food and water to help a distant island that China claims as its own.

Separately, the Justice Department indicted individual Chinese hackers for what Attorney General Merrick Garland called a 14-year effort “to target and intimidate” China’s critics worldwide.

The motive behind the British intrusion was more mysterious. That attack involved stealing the voter registration data — mostly names and addresses — of tens of millions of people, as well an attempt to hack into the accounts of members of Parliament. Britain had revealed the voter hack long ago but never said who was responsible.

On Monday, it announced sanctions against the same state-directed group involved in the U.S. hack, a sharp rebuke that underlined the hardening of Britain’s stance toward China since British leaders heralded a “golden era” in relations between the countries nearly a decade ago.

Deputy Prime Minister Oliver Dowden announced sanctions against two individuals and one company, which he said targeted Britain’s elections watchdog and lawmakers. The Foreign Office summoned China’s ambassador for a diplomatic dressing down. But there was no indication that the hackers made any effort to manipulate votes or change the registration data — raising the possibility that they were simply testing their ability to steal vast databases of information.

“This is the latest in a clear pattern of hostile activity originating in China,” Dowden said in Parliament. “Part of our defense is calling out this behavior.”

That alone is a shift: During the Obama administration, the United States was reluctant to identify China as the source of a hack on the Office of Personnel Management, which lost more than 22 million security-clearance files on U.S. officials and contractors handling everything from nuclear operations to trade negotiations. And Britain, as it sought to increase trade with China after Brexit, was similarly reluctant.

But now the United States is increasingly public about the dangers. Cabinet secretaries and intelligence chiefs have begun to testify in public before Congress about an operation called Volt Typhoon, a threat that has preoccupied President Joe Biden and his staff for more than a year, as they have sought to clean Chinese code out of critical systems.

And increasingly, the United States is coordinating with Britain, Canada, Australia and other allies to confront China’s hacking, fearing that the rising tempo of activity has received comparatively little attention while leaders have been consumed by the war in Ukraine and, for the past six months, the Israel-Hamas conflict.

Military and intelligence officials have said the Republican reluctance to provide new funds to Ukraine to repel Russia may encourage Chinese leaders to think that stoking isolationism in the United States will require little work.

On Monday, a spokesperson for China’s Ministry of Foreign Affairs, Lin Jian, dismissed the British reports of Chinese hacking as “fake news.”

“When investigating and determining the character of cyberincidents, there must be adequate objective evidence,” Lin said, “not smearing other countries without a factual basis, not to mention politicizing cybersecurity issues.”

In announcing the sanctions, the Treasury Department described malicious state-sponsored cyberactors as “one of the greatest and most persistent threats to U.S. national security.”

But curiously, Biden has never talked about the issue at any length in public — perhaps worried about causing panic or being accused of exploiting the threat in an election year. Instead, the Department of Homeland Security, the FBI and the National Security Agency have turned out specific warnings to companies about what to look for in their systems.

The sanctions were unveiled as the Justice Department announced charges against seven Chinese nationals accused of conspiracy to commit computer intrusions and wire fraud.

The hackers were part of a group known as Advanced Persistent Threat 31, or APT31, that has for the past 14 years targeted American companies, government and political officials, candidates and campaign personnel.

“This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyberoperations aimed at threatening the national security of the United States and our allies,” Garland said in a statement.

According to the Justice Department, the hackers deployed more than 10,000 emails with hidden tracking links that could, if opened, compromise the electronic device of a recipient. Their operation targeted a Justice Department official, high-ranking White House officials and multiple U.S. senators.

The Treasury Department added Wuhan Xiaoruizhi Science and Technology Co. to its sanctions list and described it as a “front company” for China’s Ministry of State Security, which ran the cyberespionage operation. The ministry has emerged as China’s largest hacking operation, after a major investment by the Chinese government, according to U.S. intelligence agencies.

The ministry — under the direct control of the Chinese leadership — is taking over for the People’s Liberation Army, which directed most of the espionage attacks on U.S. companies intended to steal corporate secrets or defense designs.

The sanctions on China come as the Biden administration has been trying to stabilize relations with China, seeking areas of cooperation on combating the flow of fentanyl and fighting climate change. That effort began to bear fruit with Biden’s meeting with President Xi Jinping in California late last year, in which he warned Xi about intrusions into U.S. infrastructure. Chinese officials have denied they were involved.

Why China would seek the names and addresses of British voters is a bit puzzling, especially since such information is readily available from data brokers. The Electoral Commission said the names and addresses of anyone registered to vote in Britain and Northern Ireland from 2014 to 2022 had been retrieved, as well as those of overseas voters.

The commission previously said that the data contained in the electoral registers was limited and noted that much of it was in the public domain. However, it added that it was possible the data could be combined with other publicly available information, “such as that which individuals choose to share themselves, to infer patterns of behavior or to identify and profile individuals.”

John Pullinger, chair of the Electoral Commission, said the hacking incident would not affect how people registered, voted or participated in democratic processes. But he added in a statement that the announcement “demonstrates the international threats facing the U.K.’s democratic process and its institutions,” and that the commission remained “vigilant to the risks.”

In addition to the infiltration of the Electoral Commission, Dowden confirmed that the Chinese had tried unsuccessfully to hack email accounts belonging to several members of Parliament.

Although he did not name the lawmakers, they are thought to include Iain Duncan Smith, a former leader of the Conservative Party; Tim Loughton, a former Conservative education minister; and Stewart McDonald, a member of the Scottish National Party — all of whom have a record of making hawkish statements about China.

Dowden said British officials had determined that it was “almost certain” that APT31 conducted reconnaissance against the lawmakers in 2021.

“The majority of those targeted were prominent in calling out the malign activity of China,” he added. “No parliamentary accounts were successfully compromised.”

Duncan Smith said China should “immediately be labeled as a threat,” something that would go beyond the language used in a British foreign policy review, which last year said that China “poses an epoch-defining and systemic challenge.”