A group backed by the Chinese state targeted New Zealand government services in a cyber-attack in 2021, New Zealand’s intelligence agency has said.
The government and intelligence agency – the Government Communications Security Bureau (GCSB) – confirmed the breach on Tuesday after the UK and the US accused China of similar attacks.
“This is the first time we have attributed state-sponsored malicious cyber activity to the People’s Republic of China, for intrusion into New Zealand government systems,” said the GCSB director, Andrew Clark.
In August 2021, the GCSB’s cybersecurity centre became aware of malicious activity affecting the parliamentary counsel office and parliamentary service, Clark said. The centre found the network had been compromised and after a thorough investigation was able to “confidently link” the attack to China, specifically the ministry of state security and a group known as Advanced Persistent Threat 40, or APT40.
“This link has been reinforced by analysis from international partners of similar events in their own jurisdictions,” Clark said.
Some data was taken during the cyber-attack, but none that was considered sensitive or strategic, he said.
The Guardian has contacted the Chinese embassy in Wellington for comment.
Speaking to media on Tuesday, prime minister Christopher Luxon said New Zealand has a “longstanding, complex relationship with China”, but added that the two countries have differences “and we call that out when we can”.
“We are calling out where we see malicious cyber-activity from any state that attacks our democratic institutions,” Luxon said.
“This is a first for New Zealand – publicly attributing a malicious cyber-activity on our democratic institutions by China. It’s a big step for us.”
Other cyber-attacks linked to APT40 were made public in 2021, however those attacks targeted other unnamed New Zealand networks and Microsoft email servers.
Clark said the attacks on parliament services were kept quiet until now to ensure the investigation was thorough, existing vulnerabilities in the system had been fixed, and to compare notes with other international partners.
“We want to be able to, as a country, reinforce the norms of responsible behaviour internationally in cyberspace, and that is best done in the company of other partners,” he said.
Clark would not speculate on what data China was seeking, but said typically, these types of breaches attempt to gain information for strategic advantage, to steal intellectual property or to facilitate foreign interference.
There were 316 cyber-attacks on major New Zealand institutions last year and 23% of those were attributed to state-sponsored actors, Clark said.
New Zealand is highly dependant on China, its largest trading partner. While the smaller nation has become more vocal in recent years over issues of human rights, the international rules-based order and concern over the potential militarisation of the Pacific, it has typically taken a more conciliatory tone towards China than other democracies such as Australia, the UK and the US.
When asked by reporters on Tuesday if China was a threat to New Zealand’s democracy, Luxon refrained from explicitly naming the country, saying: “there are many state actors and criminal actors that are threats to our institutions, including liberal democracy around the world.”
Luxon did not raise cyber interference with China’s minister for foreign affairs, Wang Yi, during a face-to-face meeting in Wellington last week.
“Officials raised cyber activity with him earlier in the month, but in my short meeting with him, I did not raise this particular incident because it was a very short courtesy call,” Luxon said.
New Zealand will not impose sanctions against China, as the UK and US has done, Luxon said.
New Zealand’s foreign minister Winston Peters said: “Foreign interference of this nature is unacceptable, and we have urged China to refrain from such activity in future.”
He said concerns about cyber activity attributed to groups sponsored by the Chinese government, targeting democratic institutions in both New Zealand and the UK had been conveyed to the Chinese ambassador.
In 2019, Australian intelligence determined China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election but the Australian government never disclosed officially who was behind the attacks.
