An alleged Chinese hack that exposed the pay records of 270,000 British military personnel is linked to a “potential failure” at a government contractor, Defense Secretary Grant Shapps has told British Parliament.
News of the incident became public on May 7, when government officials briefed journalists on a massive hack of the Ministry of Defense (MOD) allegedly carried out by the Chinese state.
The data at risk included the names and bank account details of active, reservist and retired members of the Royal Navy, Army and Royal Air Force. A small number of unverified addresses were also included in the hack.
But by the time Mr Shapps spoke in Parliament hours later, China was no longer mentioned by name. Instead, he focused on third-party companies that manage payroll systems. “This is run by contractors and there is evidence of potential failures by them, which may have made it easier for malicious actors to gain entry,” Mr Shapps said.
UK government begins review, saying no links to nation-state have been confirmed
Mr Shapps did not specifically condemn the contractor, but he said the government had launched a review of the company and its operations. “It is clear that malicious actors were involved, but the link to the state has not yet been disclosed. We cannot rule out the possibility that that is the conclusion, but there is no evidence to conclude that.” Not yet.”
This incident reveals the overlap of various issues, including the political issue of belonging. The government clearly believes China was behind the hack, but is unwilling to say so publicly to avoid getting caught up in diplomatic maneuvers.
This has upset a noisy faction among the government's own MPs, many of whom see China as a significant threat to UK security, and who are keen to see if the government can be clearer on this point. I hope you will show me.
In March, China was accused of a cyber campaign targeting members of Congress. Shortly thereafter, two parliamentary aides were charged with spying for China under the Official Secrets Act. At least in political circles, this theme is now clearly defined. The Chinese state has long tentacles, and the British state and politicians are closing in on its gaze.
Separately, the UK and several allies recently accused China of targeting critical infrastructure through its Bolt Typhoon hacking campaign.
Third parties that process payroll related to security breaches
What is even more unusual about this case is that a senior minister was quick to link a breach affecting government systems to a third party.
The only time Mr Shapps acknowledged the contractors involved in Parliament was when Labour's shadow defense secretary, John Healey, named the company as Shared Services Connected Limited (SSCL), which he said was a government official. In addition to many other contracts, the company also manages payroll contracts for the Department of Defense.
What we don't yet know is the nature of the problem that caused the incident and the amount of data that was accessed. Assuming any investigation into the incident is made public, it may not become clear until months later.
A broader question is how the government can maintain visibility of the contractors who operate many of its services. “This doesn't surprise me because supply chain security is really difficult,” Martin J. Kraemer of security awareness company KnowBe4 told CSO Online.
“It has a lot to do with complexity. If you go into a large organization as a consultant, one of the first things they do is ask for a list of all their vendors. You'll say you don't know.”
This breach highlights inherent security issues in the supply chain
This is why the term supply chain is aptly named. A supply chain includes a long list of vendors that work for other vendors, work for other vendors, or work as contractors for large organizations such as governments.
“Companies that are part of this supply chain are becoming increasingly smaller and more specialized. This is why the EU's NIS2 directive places responsibility on organizations for supply chain security,” says Kraemer. states. Difficult to resolve weaknesses included so-called vendor email compromises, where hackers penetrate trusted email relationships between supply chain partners. “Someone can easily hijack and infiltrate a company's email account. This could make him one of the most costly breaches.”
