Luke de Pulford, a British activist focused on China, didn’t know he and a global group of lawmakers that he founded were being targeted by Chinese hackers until the U.S. Justice Department issued a press release about the yearslong campaign.
The sweeping indictment unsealed in Washington on March 25 says Chinese government-backed hackers in 2021 went after “every European Union member” of the Inter-Parliamentary Alliance on China (IPAC), a group of deputies with hawkish views on China that de Pulford co-founded in 2020. The Chinese hackers also tried to infiltrate 43 British parliamentary accounts linked to lawmakers that were also IPAC members or had expressed critical views of China.
“I am learning about this from a U.S. government press release,” du Pulford wrote on X, formerly Twitter, shortly after U.S. sanctions against seven men and two hacking groups accused of conducting the attacks on behalf of China’s civilian intelligence agency, the State Security Ministry (MSS), were announced.
RFE/RL spoke with several IPAC-affiliated lawmakers targeted in the hacking campaign. Many said they received suspicious e-mails like the ones the U.S. indictment says were used to try to gain access to their accounts -- with some even being notified about it by their respective intelligence and cybersecurity agencies. All of the lawmakers say the attempts were unsuccessful.
“This [U.S.] investigation is not a surprise to me, but only a simple confirmation that everything I’ve done over the years in parliament has been done well,” Pavel Popescu, a Romanian IPAC member who led the country’s parliamentary National Security and Defense Committee in 2022, told RFE/RL.
The U.S. allegations and sanctions were followed by Britain and supported by New Zealand, who also accused China of hacking its parliament website.
Some 66 lawmakers from 12 EU-member parliaments are listed on IPAC’s website, along with members from Britain, the United States, Ukraine, Japan, and others. Beyond the IPAC members, the sprawling Chinese hacking cybercampaign targeted U.S. officials, senators, journalists, Chinese political dissidents, Western military and tech companies, as well Britain’s election watchdog and members of the European Parliament.
Antonio Milososki, a lawmaker and former foreign minister for North Macedonia, told RFE/RL that cyberattacks have been a mainstay since he joined IPAC in 2021. He says he thinks the attempts have been unsuccessful and that IPAC has been active in raising awareness about the constant hacking attempts.
Still, some IPAC members are frustrated about the lack of notification from Western security agencies about the scale of the Chinese campaign and that they were being targeted.
The British government has been criticized for being too slow to respond to the 14-year-long campaign, with several parliament members saying they were never notified they were targeted.
Tim Loughton, a British parliamentarian and IPAC member, said he and other U.K. politicians expressed dismay that British intelligence never told them they were targeted and only learned about the issue from the indictment.
“They weren’t fully honest with us. We only found out from America that 43 people were hacked,” Loughton told reporters at a March 25 press conference, referring to the British lawmakers targeted.
IPAC’s du Pulford also expressed frustration with the lack of notice, saying that while they have been aware of cyberattacks over the years, IPAC only learned about the full scale of the campaign from the U.S. press release.
Inside A Global Hacking Campaign
Both London and Washington have pointed the finger at a hacking group known within the cybersecurity community as Advanced Persistent Threat 31 (APT 31), which is said to have tried to hack IPAC members and gone after a host of other targets in the indictment, ranging from overseas Hong Kong activists to U.S. companies.
New Zealand, meanwhile, said a separate Chinese state-backed group called APT 40 was behind the attack that compromised computers linked to its parliamentary network. According to Mandiant, an American cybersecurity firm and subsidiary of Google, APT 40 is a Chinese cyberespionage group that typically targets countries strategically important to Beijing’s multibillion dollar infrastructure project, the Belt and Road Initiative (BRI).
U.S. Deputy Attorney General Lisa Monaco said on March 25 that more than 10,000 e-mails -- which appeared to come from news outlets, politicians, and critics of China -- were sent as part of the campaign that relied on using phishing e-mails containing hidden tracking links.
If the victims opened the e-mails, information including the recipient’s location, device, and IP address were transmitted to a server controlled by the hackers. APT 31 then used this information to enable more targeted hacking, such as going after home routers and personal electronic devices.
Romanian lawmaker and IPAC member Catalin Tenita told RFE/RL that he had received suspicious e-mails in 2021 but that he exercises a high-degree of cybersecurity and did not click on any potential phishing e-mails.
Alexandru Muraru, another Romanian IPAC member, told RFE/RL that he didn’t open any e-mails like those outlined in the indictment but says that he and his colleagues have been “repeatedly warned about what the Chinese state is trying to do.”
Other IPAC members, such as Fatmir Mediu, an Albanian lawmaker and former defense minister, told RFE/RL that he and other Albanian IPAC members did not receive any e-mails like those described in the U.S. indictment.
China has rejected the allegations that it or state-affiliated organizations were responsible for the attacks, calling them “completely fabricated and malicious slanders.”
Analysts, however, say that the campaign is part of a larger trend of Chinese hackers becoming increasingly invasive in their efforts to surveil and monitor critics abroad and procure intellectual property from leading foreign companies.
Jakub Janda, director of the Prague-based European Values for Security Policy, told RFE/RL that the U.K government's decision to publicly attribute the hacking campaign to China is a step toward a more robust European response to Chinese cyberespionage, although he said the sanctions are mostly “symbolic punishment” and unlikely to have a “deterring effect.”
Another large-scale, multiyear Chinese hacking campaign was exposed in February when a trove of documents from the Shanghai-based cybersecurity company I-Soon was leaked online. According to e-mails in the leak, the private company worked as a contractor for the Chinese government, police, and military to target individuals, governments, and companies across the globe.
Jamie MacColl, a research fellow in cybersecurity at the London-based Royal United Services Institute, says that while Chinese state-backed hacking groups have been on the rise in recent years, the recent disclosure stands out for its massive scale and varying goals.
But he adds that while China’s hacking capabilities have greatly advanced in the last decade, this case shows that Chinese groups are vulnerable and that the indictment would not be possible without “significant infiltration of the MSS” by Western intelligence agencies.
“China still worries about its networks being penetrated and [Western agencies] collecting intel on their most important groups, which is what looks to have happened here,” MacColl told RFE/RL. “This is embarrassing for them.”