A group backed by the Chinese state targeted New Zealand government services in a cyber-attack in 2021, New Zealand’s intelligence agency has said.
The government and intelligence agency – the Government Communications Security Bureau (GCSB) – confirmed the breach on Tuesday after the UK and the US accused China of similar attacks.
“This is the first time we have attributed state-sponsored malicious cyber activity to the People’s Republic of China, for intrusion into New Zealand government systems,” said the GCSB director, Andrew Clark.
In August 2021, the GCSB’s cybersecurity centre became aware of malicious activity affecting the parliamentary counsel office and parliamentary service, Clark said. The centre found the network had been compromised and after a thorough investigation was able to “confidently link” the attack to China, specifically the ministry of state security and a group known as Advanced Persistent Threat 40, or APT40.
“This link has been reinforced by analysis from international partners of similar events in their own jurisdictions,” Clark said.
Some data was taken during the cyber-attack, but none that was considered sensitive or strategic, he said.
In a statement to the Guardian, a spokesperson for the Chinese embassy in Wellington said China denied any involvement with the cyber-attack. “We reject outright such groundless and irresponsible accusations,” it said.
The embassy said it had lodged “serious démarches to New Zealand’s relevant authorities, expressing strong dissatisfaction and resolute opposition”.
“We have never, nor will we in the future, interfere in the internal affairs of other countries, including New Zealand,” the spokesperson said.
The statement came shortly after the foreign minister Winston Peters cautioned China against further interference.
“Foreign interference of this nature is unacceptable, and we have urged China to refrain from such activity in future,” Peters said in a statement.
He said concerns about cyber activity attributed to groups sponsored by the Chinese government, targeting democratic institutions in both New Zealand and the UK had been conveyed to the Chinese ambassador.
Speaking to media on Tuesday, prime minister Christopher Luxon said New Zealand has a “longstanding, complex relationship with China”, but added that the two countries have differences “and we call that out when we can”.
“We are calling out where we see malicious cyber-activity from any state that attacks our democratic institutions,” Luxon said.
“This is a first for New Zealand – publicly attributing a malicious cyber-activity on our democratic institutions by China. It’s a big step for us.”
Other cyber-attacks linked to APT40 were made public in 2021, however those attacks targeted other unnamed New Zealand networks and Microsoft email servers.
Clark said the attacks on parliament services were kept quiet until now to ensure the investigation was thorough, existing vulnerabilities in the system had been fixed, and to compare notes with other international partners.
“We want to be able to, as a country, reinforce the norms of responsible behaviour internationally in cyberspace, and that is best done in the company of other partners,” he said.
Clark would not speculate on what data China was seeking, but said typically, these types of breaches attempt to gain information for strategic advantage, to steal intellectual property or to facilitate foreign interference.
New Zealand is highly dependent on China, its largest trading partner. While the smaller nation has become more vocal in recent years over issues of human rights, the international rules-based order and concern over the potential militarisation of the Pacific, it has typically taken a more conciliatory tone towards China than other democracies such as Australia, the UK and the US.
When asked by reporters on Tuesday if China was a threat to New Zealand’s democracy, Luxon refrained from explicitly naming the country, saying: “there are many state actors and criminal actors that are threats to our institutions, including liberal democracy around the world.”
Luxon did not raise cyber interference with China’s minister for foreign affairs, Wang Yi, during a face-to-face meeting in Wellington last week.
“Officials raised cyber activity with him earlier in the month, but in my short meeting with him, I did not raise this particular incident because it was a very short courtesy call,” Luxon said.
New Zealand will not impose sanctions against China, as the UK and US has done, Luxon said.
In 2019, Australian intelligence determined China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election but the Australian government never disclosed officially who was behind the attacks.