Parliament network breached in China-led cyberattack, Judith Collins reveals

The government does not plan to launch sanctions against China after confirming a cyberattack targeted two Parliamentary agencies in 2021.

But Foreign Minister Winston Peters said concerns had been conveyed directly to the Chinese government, with senior officials at the Ministry of Foreign Affairs and Trade asked to speak with China’s Ambassador.

A spokesperson for the Chinese Embassy in New Zealand rejected what they called “groundless and irresponsible accusations” that China was behind the malicious cyber activity.

In a statement, they said they had “lodged serious démarches to New Zealand’s relevant authorities” and expressed “strong dissatisfaction and resolute opposition”.

“We have never, nor will we in the future, interfere in the internal affairs of other countries, including New Zealand,” the statement said.

“Accusing China of foreign interference is completely barking up the wrong tree.

“We hope the New Zealand side can practice the letter and spirit of its longstanding and proud independent foreign policy, independently making judgments and decisions in its best interests rather than blindly following other’s words and actions at the expense of New Zealand’s own credibility and interests.”

But the spy agencies’ minister Judith Collins said New Zealand’s Parliamentary Service and Parliamentary Counsel Office were targeted in a China-linked 2021 cyberattack.

Her office clarified the malicious activity was contained and the actor behind it was removed shortly after accessing the networks.

They also confirmed the hack was different from the one revealed by then-minister Andrew Little.

Little had that year linked a separate attack to China-sponsored hacker group Advanced Persistent Threat 40 (APT40), saying they had exploited Microsoft Exchange vulnerabilities.

The news follows the United Kingdom and United States announcing sanctions against China over its alleged cyber activity.

They claimed a sweeping cyberespionage campaign targeting millions of people – including White House staffers, US Senators, British parliamentarians, government officials across the world and lawmakers, academics, journalists.

The US and UK said the attack was led by the APT31 hacker group, which they said was an arm of China’s Ministry of State of Security.

In her statement, Collins said New Zealand stood with the UK, and the “use of cyberespionage operations to interfere with democratic institutions and processes anywhere is unacceptable”.

“The GCSB’s National Cyber Security Centre (NCSC) completed a robust technical assessment following a compromise of the Parliamentary Counsel Office and the Parliamentary Service in 2021, and has attributed this activity to a PRC state-sponsored group known as APT40,” she said.

“Fortunately, in this instance, the NCSC worked with the impacted organisations to contain the activity and remove the actor shortly after they were able to access the network.”

She told reporters at Parliament New Zealand’s democratic institutions were “sacrosanct” and said New Zealand was working alongside partners and supporting the UK.

She said this was the first attack on New Zealand’s democratic institutions she was aware of.

Asked why New Zealand had not announced sanctions, she said it was not part of the government’s legislative agenda. Because New Zealand does not have broader law allowing for autonomous sanctions, legislation would be required before sanctions can be laid.

The Parliamentary Service provides administrative and support services to Parliament and its MPs, while the Parliamentary Counsel Office (PCO) is responsible for drafting and publishing legislation.

Peters said foreign interference of this nature was unacceptable and was urging China to refrain from such activity in the future.

“New Zealand will continue to speak out – consistently and predictably – where we see concerning behaviours like this,” Peters said.

“As discussed during last week’s visit by Foreign Minister Wang Yi to New Zealand, our two countries have a significant and complex relationship. We cooperate with China in some areas for mutual benefit. At the same time, we have also been consistent and clear that we will speak out on issues of concern.”

GCSB director-general Andrew Clark said in the past year, there were 316 “cyber events” involving nationally significant organisations. About a quarter of these could be linked to state-sponsored actors.

But this was the first time New Zealand has publicly pointed to China as being behind an intrusion into government systems.

“Our analysis enabled us to confidently link the actor to the People’s Republic of China – specifically to the Ministry of State Security.

“This link has been reinforced by analysis from international partners of similar events in their own jurisdictions.”

New Zealanders could be reassured the hack was detected quickly, and action was taken before sensitive data was taken, he said.

Some information was removed from the networks, but the GCSB believed it was of a technical nature and information of a sensitive or strategic nature was not taken, he said.

The PCO and Parliamentary Service have made changes to their networks to increase their security resilience since the attack.