A suspected Chinese hack that exposed payroll records of 270,000 members of the British armed services was connected to the “potential failings” of a government contractor, UK defence secretary Grant Shapps told the British Parliament.
News of the incident became public on May 7, when government sources briefed journalists about a major hack of the Ministry of Defence (MOD) allegedly conducted by the Chinese state.
The data put at risk included the names and bank details of current, reservist, and retired members of the Royal Navy, Army, and Royal Air Force. A small but unconfirmed number of addresses were also part of the hack.
But by the time Shapps made his statement to Parliament hours later, China was no longer being mentioned by name. Instead, Shapps focused on the third-party company that managed the payroll system. “This was operated by a contractor and there is evidence of potential failings by them which may have made it easier for the malign actor to gain entry,” Shapps said.
No confirmed connection to a nation-state
Although Shapps didn’t explicitly blame the contractor, the government has started a review of the company and its operations, he said. “Although we can see a malign actor was involved, we have yet to make the connection to a state. Although we can’t rule out that that might be the conclusion, we have no evidence to conclude that way yet,” he said.
The incident reveals a knot of issues, starting with the political problem of attribution. The government clearly believes that China was behind the hack but doesn’t want to say that publicly to avoid getting into a diplomatic slanging match.
That has upset a noisy element among the government’s own MPs, many of whom see China as a major threat to UK security and would prefer the government to be more explicit about this.
In March, China was blamed for a cybercampaign targeting MPs. Not long after, two Parliamentary aides were charged with spying for China under the Official Secrets Act. In political circles, at least, the theme is now well-defined: The Chinese state has long tentacles, and the British state and politicians are in its sights.
Separately, the UK and several of its allies recently accused China of targeting critical infrastructure through the Volt Typhoon hacking campaign.
Third-party compromise unknown
A more unusual aspect of the latest incident is that a senior minister has so quickly connected a compromise affecting government systems to a third party.
Shapps only confirmed the contractor involved in Parliament when the Labour Party’s shadow defence secretary John Healey named the company as Shared Services Connected Ltd (SSCL), which operates the MOD payroll contract in addition to many others across the government.
What is not yet known is the nature of the issue that led to the incident nor how much data was accessed. That might only become apparent many months later, assuming any investigation into the incident is ever made public.
The wider question is how any government can maintain visibility of the contractors that run many of its services. “I’m not surprised by this because supply chain security is really difficult,” Martin J. Kraemer of security awareness company KnowBe4 told CSO Online.
“It’s large to do with the increasing complexity. If you went into a large organization as a consultant, one of the first things you would do is to ask for a list of all of their vendors. But they would look at you and say they don’t know.”
Security issues inherent in supply chains
This is why the term supply chain is aptly named: It’s a long list of vendors, who work for other vendors, who work for other vendors, who work as contractors to large organizations such as governments.
“The companies that are part of this supply chain get ever smaller and specialized. This is why the EU’s NIS2 Directive makes organizations responsible for the security of their supply chains,” said Kraemer. Weaknesses that were hard to plug included the so-called vendor email compromise whereby hackers infiltrated trusted email relationships between supply chain partners. “Someone takes over the email account of a company and they have an easy way in. This can be one of the most costly compromises.”
Aerospace and Defense Industry, Data Breach, Government, Hacking
Leave a Reply