Reminder: “Frenemies” are not friends.

News that the Chinese ATP 40 cyber-hacking unit penetrated parliamentary internet networks in 2021 has renewed concerns about the PRC’s malign intentions in Aotearoa. But is the hack that significant given the length of time that has passed since its discovery and the lack of sensitivity of the information that was accessed?  I was asked to write about this for a corporate news outlet but since it is my work I have added some details and posted it here.

The hack is unsurprising given that NZ is a 5 Eyes partner and parliamentary services and the parliament counsel’s office handle sensitive information as a matter of course. NZ may be a trading partner of the PRC but is in essence a security adversary given its membership in 5 Eyes and its close military alignment with the US, Australia and other Western states that are (whether rightly or wrongly) hostile to PRC power-projection world wide. Since the PRC is a main focus of 5 Eyes signals and technical intelligence collection, it would be remiss for ATP 40 to ignore potential avenues of exploitation when it comes to obtaining political or security-related intelligence in NZ. That is part of their mission, and complements the well-known presence of numerous PRC human intelligence agents in this country.

It is therefore reassuring that the GCSB National Cyber Security Centre (NCSC) discovered the hack and found that no strategically important or sensitive information was breached. We shall have to trust them on that. However, that does not mean that this will be the last time ATP 40 or some other PRC cyber-hacking unit will attempt to breach NZ government and private cyber defences. That is what they do, and because NZ has in the past been seen as the Achilles heel of the 5 Eyes network due to traditionally poor cyber security practices, it will likely do so again. This is an ongoing problem that the NCSC was created to address, but the offence versus defence dynamic inherent in (cyber) espionage and warfare is still in play and will continue to be so for the foreseeable future.

Some have suggested that NZ impose sanctions on the PRC in response to the parliamentary cyber intrusion. The US and UK have announced such measures due to similar PRC behaviour with regard to them (more on this below). However, for NZ that would be a mistake because sanctions at this point would be counter-productive. First, because it would be akin to poking a tiger and invite disproportionate retaliation over what is a relatively minor transgression in the broader scheme of things. Since NZ has yet to wean itself off of its self-made PRC trade dependency, it cannot afford to alienate it just yet, if ever, over an intrusion of this order.

Secondly, these type of breaches are usually handled quietly so that the offending party is not completely sure of how and why they were thwarted or countered. In other words, the GCSB does not want to show its hand when it comes to its counter-hacking capabilities. That the breach occurred in 2021 and only has been acknowledged now indicates that the GCSB feels that enough time has elapsed for operational security concerns to be ameliorated and a “fair warning” issued to the hackers that they are being identified, traced and countered. So there is no need to cause an inevitably damaging public spat with a much more powerful interlocutor. For all the coziness of the 5 Eyes members, no one will come to NZ’s economic rescue if the PRC decides to take punitive economic measures against NZ in the event that NZ tries to impose sanctions of some sort on its largest trade partner.

The timing of the GCSB announcement about the 2021 hack is also coincident with the US publishing the identities of ATP 40 hackers targetting US infrastructure and Australia and the UK warning of their and other Chinese political interference efforts in strong terms, with particular focus in the UK and US on PRC hacker compromises to voting systems in election years in both. The timing of the announcements about PRC hacking efforts therefore seems to be a 5 Eyes-coordinated “shot across the bow” that gives warning to ATP 40 and their counterparts that the times of easy access to critical data infrastructure, even if indirectly and even in NZ, are over. 

But that may be all that it is and not, at least in NZ’s case, a reason for NZ to escalate the matter beyond what it already has said and done. Chinese diplomats have been summoned to MFAT for a “please explain” and scolded for ATP 40’s misbehaviour. The PRC Foreign Ministry has rejected the accusations and warned about scurrilous attempts to besmirch the PRC’s good name. Perhaps it is time to let the dogs go back to sleep.

It remains to be seen if this type of State-backed cyber-probing ends because if nothing else the PRC hacking community is ingenious, well resourced and persistent. For them, this is part of the PRC’s ascent to having a multi-dimensional (voice and cyber encrypted communication intercept, physical and infrared (thermal) imagery aquisition, submarine fiberoptic cable “tapping,” capabilities, etc.), broad specturm, multi-domain (air, land, sea, space, cyber) warfare infrastructure on its way to achieving superpower status. As part of 5 Eyes, NZ is standing in the (albeit in a small) way of that goal. It was and is bound to be an ongoing target of Chinese espionage efforts, including in the cyber domain.

Ultimately the revelations about ATP 40s operations in NZ are a reminder against cyber complacency at home and at work, be in the public or private sectors. This is very true when dealing with so-called “frenemies,” that is, States with which NZ has cordial, even friendly relations on the public surface but with which underlying value systems and security relations are incompatible, strained or even hostile. So long as NZ is a member of the 5 Eyes network and the PRC is an adversary and target of that network even if it is NZ’s largest trade partner, ATP 40 and other PRC intelligence units will be hard at work seeking to discover and exploit any potential avenues of opportunity in NZ cyber-space as well as in other domains. It may be in that in the past “loose lips sunk ships,” but in the contemporary era all keystrokes, phone calls, encrypted messages, Tik Toks and Instas are also grist for the intelligence mill—and exploitable as such.

An earlier version of this essay appeared on March 27, 2024 in the NZ Dominion Post (the-post.co.nz, p.19) and affiliated media outlets.

Cyber-hacking comes to Aotearoa.*

The Government Security Communications Bureau (GCSB) has announced that Chinese hackers were responsible for cyber intrusions against New Zealand managed service providers (MSPs), the telecommunications firms responsible for providing phone, email and internet services and data banking to individual, public agency and corporate consumers. This is surprising only because it confirms what private security analysts and partner intelligence services have been claiming for some time: that the Chinese are engaged in a global campaign of cyber theft of commercial secrets and intellectual property. They do so as part of a strategy to become the world’s dominant information and telecommunications player within 50 years, and they do so by using ostensibly private firms as cover for hacking activities directed by the Chinese Ministry of State Security (MSS).

The GCSB announcement coincided with indictment by the US Justice Department of two Chinese nationals who have been identified as belonging to the Advanced Persistent Threat (APT)-10 Group of MSS hackers operating under the cover of a Chinese-registered firm, Tianjing Huaying Haitai Science and Technology Development Company Ltd. (Huaying Haitai). Huaying Haitai claims to provide network security construction and product development services but has only two registered shareholders, one manager and no web presence (the domain name huayinghaitai.com is registered to the firm but cannot be found on-line, which is particularly odd for an internet security provider). The US has publicly identified Huaying Haitai as the corporate front for ATP-10, and the GCSB has confirmed that ATP-10 was responsible for the New Zealand-targeted cyber intrusions it has detected since early 2017.

The UK simultaneously announced that Chinese hackers had conducted a decade long-campaign of cyber-theft against British commercial entities, while the US identified 75 US-based targets as well as others in 12 other countries (excluding New Zealand). The GCSB announcement is therefore part of a coordinated effort by Western governments to identify Chinese-based cyber-theft campaigns, and follows on similar Australian revelations announced during the 2018 APEC summit a month ago.

The ATP-10 cyber-hacking campaign violates the terms of a 2016 APEC agreement signed by China (and New Zealand) committing member states to not use cyber hacking in order to engage in commercial espionage or intellectual property theft. It violates similar pacts signed with the US and UK in 2015. This means that China is deliberately violating international agreements for commercial gain. It also makes all Chinese-based telecommunications suspect, both in terms of their purported use of so-called digital backdoors built into their products that can be used by Chinese intelligence as well as their duplicitous corporate behaviour when it comes to proprietary information. In effect, Chinese telecommunications are seen as bad corporate actors as well as intelligence fronts by Western countries. This has caused firms such as ZTE and Huawei being excluded from critical infrastructure projects and 5G network upgrades in a number of countries, including, most recently, New Zealand.

The GCSB announcement refers to Chinese hacking in pursuit of cyber theft of sensitive commercial and intellectual property. It does not mention specific targets or refer to cyber-espionage per se.Yet the two are overlapped because of the nature of the targets and means by which they attacked. ATP-10 hacking attacks are aimed at Managed Services Providers (MSPs) who store data for individuals, public agencies and firms. These include large multinational email, internet and phone service providers as well as smaller cloud-based data storage firms.

If ATP-10 and other hackers can penetrate the security defenses of MSPs they can potentially bulk collect, then data mine whatever is digitally stored in the targeted archives. Although the primary interest is commercial in nature, the overlapping nature of data networks, especially in a small country like New Zealand, potentially gives ATP-10 and similar hacking groups access to non-commercial political, diplomatic and military networks.

For example, a home computer or private phone that has been compromised by a cyber hack on a internet service provider (ISP) can become, via the exchange of information between personal and work devices, an unwitting entry point to work networks in the private and public sectors that are not connected to the individual’s ISP. This raises the possibility of incidental or secondary data collection by hackers, which in the case of state organized outfits like ATP-10 may be of as much utility as are the commercial data being targeted in the first instance.

The dilemma posed by the GCSBs announcement is two-fold. First, will the government follow the GCSB lead and denounce the behaviour or will it downplay the severity of the international norms violations and intrusion on sovereignty that the ATP-10 hacking campaign represents? If it does, it sets up a possible diplomatic confrontation with the PRC. If it does not, it exposes a rift between the GCSB and the government when it comes to Chinese misbehaviour.

Neither scenario is welcome but one thing is certain: no response will stop Chinese cyber hacking because it is part of a long-term strategy aimed at achieving global information and telecommunications dominance within fifty years. But one response will certainly encourage it.

  • An earlier version of this essay appears on the Radio New Zealand website, December 21, 2018 (https://www.radionz.co.nz/news/on-the-inside/378835/cyber-hacking-comes-to-aotearoa).

Cyberwar comes to New Zealand.

News that Chinese hackers obtained personal details of 4 million US federal employees dating to 1985, following on the heels of similar attacks on the customer records of private insurance companies and retirement funds as well as the internal email networks of the US State Department and White House, demonstrate that a guerrilla cyber-war is underway. Although it will not replace traditional warfare any time soon, this is the new face of war for several reasons.

First, it does not involve physical conflict using kinetic weapons, which removes direct bloodletting from the equation. Second, it can target critical infrastructure (power grids, water supplies) as well as the command, control, communications, computing and intelligence (C4I) capabilities of adversaries. Third, it can be masked so that perpetrators can claim a measure of plausible deniability or at least intellectual distance from the action. Fourth, it can be used for tactical and strategic purposes and the pursuit of short or long-term objectives.

Much like military drones, cyberwar is here to stay.

The war is not one sided: Russian hackers have penetrated Pentagon email networks and the 5 Eyes signals intelligence alliance has dedicated hacking cells working 24/7 on targets of opportunity. Many other nations also indulge in the practice as far as their technological capabilities allow them. To these can be added a host of non-state actors—Wikileaks, Anonymous, ISIS, among others—who have also developed the capability to engage in electronic espionage, sabotage, data capture and theft.

With the most recent revelations about the hacks on the US Office of Personnel Management (OPM) archival records (which include personal details of active and retired federal employees as well as identities of those who have had or hold security clearances, perhaps including myself given my prior employment by the Department of Defense) an evolution in cyber warfare is now evident.

Previously, most state-sanctioned cyber attacks were so-called “front door” attacks on government or corporate mainframes, servers and networks. The interest was in surreptitiously obtaining sensitive data or installing surveillance devices in order to engage in ongoing monitoring of targeted entities. “Back door” probes and attacks were the province of non-state actors, especially criminal organisations, seeking to obtain private information of individuals and groups for fraudulent use. However, the recent attacks have been of the “back door” variety yet purportedly state sanctioned, and the Snowden leaks have revealed that 5 Eyes targets the personal communications of government officials, diplomats, military officials and corporate managers as a matter of course.

The move to state-sponsored “back door” hacks is ominous. Accessing data about current and retired government employees can be used to blackmail those suffering personal liabilities (debt, infidelity) in order to obtain sensitive information about government processes, procedures, protocols and policy. It can target active and former intelligence and military officials and others with access to classified information. It can target former public officials that have moved to the private sector, particularly in fields of strategic or commercial importance. Likewise, obtaining sensitive personal data of employees working in private firms opens the door to similar exploitation for illicit commercial gain.

Advances in consumer telecommunications have made cyber hacking easier. Smart phones and their applications are considered to be the most vulnerable to hacking. Because many people store an enormous amount of personal data on these devices, and because they often mix work and personal business on them, they represent an enticing entry point when targeted. Yet even knowing this millions of consumers continue to pack their lives into electronic devices, treating them more as secure bank vaults rather than as windows on their deepest secrets. Not surprisingly, both state and non-state actors have embarked on concerted efforts to penetrate mobile networks and hand-held devices. Encryption, while a useful defense against less capable hackers, only slows down but does not stop the probes of technologically sophisticated hackers such as those in the employ of a number of states.

The bottom line is this: the smaller the telecommunications market, the easier it is for cyber hackers to successfully place backdoor “bugs” into the network and targets within it, especially if government and corporate resources are directed towards defending against “front door” attacks. On the bright side, it is easier to defend against attacks in a smaller market if governments, firms, service providers and consumers work to provide a common defense against both “front door” and “back door” hacking.

The implications for New Zealand are significant.

In this new battleground physical distance cannot insulate New Zealand from foreign attack because cyber-war knows no territorial boundaries. New Zealand provides an inviting target because not only is an integral and active member of Western espionage networks, it also has proprietary technologies and intellectual property in strategic sectors of its trade-dependent economy (including niche defense-related firms) that are of interest to others. Because New Zealand’s corporate, academic and public service elites are relatively small and the overlap between them quite extensive, hacks on their personal data are a valuable tool of those who wish to use them for untoward purposes.

New Zealand public agencies and private firms have been relatively slow to react to the threat of cyber warfare. The data they hold on their employees, managers, policy elites and general population is an inviting “back door” for determined hackers seeking to exploit vulnerabilities in New Zealand’s cyber networks. Since many Kiwis are lax about separating their work and private electronic correspondence and records, the potential to access sensitive personal information is high.

New Zealand has been the subject of numerous “front door” cyber attacks and probes on public and private agencies, including an attack by Chinese-based hackers on the NIWA supercomputer carried out in concert with a similar attack by the same source on the supercomputer run by the US National Oceanographic and Atmospheric Administration (NIWA’s US counterpart). New Zealanders have been the targets of numerous “back door” intrusions such as phishing and other scams perpetrated by fraudsters and conmen. Yet successive governments have been slow to recognize the new threat advancing towards it in the cyber-sphere, only recently creating dedicated cyber security cells within the intelligence community and just last year amending the GCSB Act to address vulnerabilities in domestic internet security. But it still may not be enough.

Until New Zealand resolves the problem of institutional lag (that is, the time gap between the emergence of a technologically-driven threat and an institutional response on the part of those agencies responsible for defending against it), there is reason to be concerned for the security of private data stored in it. After all, in the age of cyberwar there is no such thing as a benign strategic environment.