UK confirms attack on MoD system opens review of contractor The Register

UK opens investigation of MoD payroll contractor after confirming attack
50 comment bubble on white
China vehemently denies involvement
iconConnor Jones
Wed 8 May 2024 // 11:15 UTC
UK Government has confirmed a cyberattack on the payroll system used by the Ministry of Defence (MoD) led to "malign" forces accessing data on current and a limited number of former armed forces personnel.

There is no evidence to suggest that the criminals who broke into the systems actually removed any data, but they did access personal information including names, financial data, and in some cases home addresses.

The affected systems have been pulled offline but there is no indication as to how long the attackers had access to the data.

Defence secretary Grant Shapps addressed the Commons on Tuesday afternoon, confirming ministers' suspicions that Shared Services Connected Ltd (SSCL) was the contractor running the system during the attack.

SSCL started out as a joint venture in 2013 between the Cabinet Office and Sopra Steria, the French IT provider, which as of last year owns SSCL entirely.

Sopra Steria has 43 active contracts across government and five with the MoD, according to data from public sector spending researcher Tussell. SSCL's contract to deliver armed forces pay, pensions, and military HR services is its most lucrative contract of the 43, and according to Tussell, its most lucrative with the MoD, with a value of more than £294 million ($366.8 million).

Per its website, SSCL's contract with the MoD sees it managing HR services for 230,000 military personnel and reservists, and two million veterans. Its other contracts with the likes of the police and wider areas of government see it managing the payments for hundreds of thousands more public servants.

Shapps said the estimated number of people affected by the latest incident is up to 272,000, though this number is likely to be reduced after it goes through refinements.

Founding CEO of the NCSC and current Oxford professor Ciaran Martin told BBC Radio 4's Today show that while the incident will bring cause for concern, the data involved could have been a great deal more sensitive.

"So [the government's safeguards for outsourced work] will vary depending on the sensitivity of the data set, and whilst this is on the basis of the information available at the moment, it looks serious, it's at the lower end of serious.

"It seems like a broad data set but not a very deep one. It's not what you would call a crown jewel data set."

Martin compared the incident to the breach at the US's Office of Personnel Management in 2015, which was far more serious.

"We do worry what we call in the jargon in the cybersecurity industry about supply chain risk or the soft underbelly of professional services firms doing this type of thing, often more cheaply and arguably more efficiently than perhaps they're done in government. But it does require robust security procedures to be applied by the company and overseen by the sponsoring agency, in this case the MoD, and clearly that's something that's going to have to be looked at in this case."

Shapps withheld many details on national security grounds, including how the malign actors were able to access the data, however, Shapps said the "strongest action" will be taken if SSCL is found to have been negligent.

Responding to ministers' concern about the situation and state of cybersecurity at SSCL, Shapps said a full review had already been launched.

UK elections are unaffected by China's cyber-interference, says deputy PM
Electoral Commission had internet-facing server with unpatched vuln
US charges Chinese nationals with cyber-spying on pretty much everyone for Beijing
Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon
"We have both ordered a full review of their work within MoD, but have gone further than that as well, and I've requested from the Cabinet Office a full review of their work across government as well as within MoD, which is underway."

As for the impact on individuals, all April salaries have been paid and there is currently no reason to suspect any future salary and pension payments will be disrupted, Shapps said.

However, some service personnel expense payments have experienced "a slight delay" but ensuring high-value payments are made is a current priority.

The MoD is now in the process of contacting all of those who are believed to be affected.

The UK isn't formally attributing the activity to any specific individual or group, but sources speaking to Sky, which broke the news, suggested China was behind it.

Two years ago, shortly after Russia invaded Ukraine, an act that was preceded by cyberattacks on Viasat, the UK's National Cyber Security Agency (NCSC-UK) officially attributed the Viasat attacks to Russia during its annual CYBERUK conference. This year's event is being held next week, but there is nothing to suggest officials will point to any group any time soon.

Shapps said that formal attribution will take time to reach firm conclusions and he refused to confirm suggestions that China was behind the incident, although he did say state interference couldn't be ruled out.

Conservative MP and former chair of the Commons Defence Committee, Tobias Ellwood, told BBC Radio 4's Today show: "Targeting the names of the payroll system and service personnel's bank details, this does point to China because it could be as part of a plan, a strategy to see who might be coerced."

Ellwood went on to reference the UK's threat in 2022 to prosecute former Royal Air Force (RAF) pilots under the National Secrets Act after it was revealed China was recruiting them to train Chinese pilots.

The news today is the latest in a long line of allegations against China focusing on its allegedly illegal acts in cyberspace.

Perhaps most notably, the US charged seven individuals over their alleged involvement in APT31 a cyber-espionage group with assumed ties to the Chinese state. Otherwise known as Zirconium, it's just one of many suspected groups run by China to fulfill its various military objectives.

Volt Typhoon, another suspected band of Beijing-sponsored cybercriminals, has also attracted a great deal of attention from authorities, which fear the group is readying destructive cyberattacks after multiple compromises at critical infrastructure orgs.

Going back further, the UK previously pinned a 2021 attack on the Electoral Commission on China but deputy PM Oliver Dowden recently dismissed concerns that the country had ever been successful in disrupting UK elections.

These are just a number of highlights from a sprawling list of allegations against China and its efforts in cyberspace, which date back many years.

It should be said that China has repeatedly denied any involvement in offensive cyber campaigns targeting the West.

A spokesperson for the Chinese embassy said: "The said accusation made by the UK side is nothing but a fabricated and malicious slander. It is extremely absurd and despicable. We strongly condemn it.

"China has all along been fighting cyberattacks according to law. We firmly oppose any groundless accusations against China out of political motives.