A Chinese-sponsored cyber attack was so damaging that it was briefly proposed that an entire data hub be destroyed, according to British news magazine The Spectator. It observed that the attack accessing confidential UK government data was just one manifestation of a continuing series of threats to British IT infrastructure.
That breach is but one example of the risks faced not only by the UK, but by governments and organizations everywhere.
According to news service Bloomberg, two former senior security officials and other government officials familiar with the matter revealed that China has routinely accessed low- and medium-level classification information on UK government servers for at least a decade. This included information marked “official-sensitive” and “secret,” in addition to some material on the government’s secure IT networks, although no information designated “top secret” was compromised.
Chinese threats to the UK infrastructure are very much at the forefront of government thinking right now, given the collapse of the trial of two Britons accused of passing secret documents to Chinese authorities.
The attack on the data hub, through which classified government information was exchanged, came about following the sale of the company controlling it to a Chinese entity. While the destruction of the data hub was considered, the government found alternative ways to protect the data, according to Bloomberg. However, the breach was serious enough for then British Prime Minister Boris Johnson to commission a report on threats, including digital surveillance and cyber attacks, posed by China. That report was never publicly released and, The Spectator said, technical details of the attack on the hub remain classified.
Data hub attack ‘particularly critical’
The attack on the data hub is seen as particularly critical. Jake Moore, global cybersecurity advisor with software company ESET said, “The fact that ministers once considered destroying a data hub holding sensitive government data after it was sold to a China-aligned entity shows how seriously the UK views control over critical infrastructure. Physically destroying the site would have stopped services and wiped forensic evidence, yet it underscores the depth of concern about potential foreign control of national assets”
Gavin Knapp, cyber threat intelligence lead at Bridewell, a supplier to the UK government critical network infrastructure, endorsed the severity of this approach. He said, “it’s like when a device is compromised, the only way to truly be sure there are no remnants, or unidentified backdoors is to restore the asset to a known good state. In the physical realm, in particular a data centre, to sweep and verify there is no enduring threat actor / spy presence is much more difficult, and at a state secrets level the required effort to treat or terminate the risk requires a huge amount of effort and cost to bring risks down to an acceptable level.”
While it’s not clear exactly how the data hub had been compromised, Martin Riley, CTO at Bridewell, said, “The main point of entry may have been a VPN, as is common with Chinese actors, but if they have already moved across the environment and escalated privileges, then the impact would be wider.“
Riley noted that when the government said it had discovered another way to protect the data, it was likely that it had patched a vulnerability “after performing incident response to understand the breadth of the breach and how it was initially accessed.”
Organizations can’t ignore the supply chain
Because of the constant threat from state-backed attackers, organizations everywhere need to be on constant alert, said Knapp, adding, “CISOs across government must assume they’re already being targeted, particularly by state-linked advanced persistent threats (APTs). These groups are difficult to detect because they prioritize stealth and long-term access over disruption. This raises key questions around how well organizations detect insider threats and hunt for compromises on edge devices, especially where vendors manage the hardware, making forensics more complex.”
Knapp warned that it was not sufficient to make government infrastructure more secure while ignoring the supply chain. “Even the most secure networks can be breached when attackers exploit users, contractors, or third-party systems to gain a foothold. They often compromise edge devices or exploit misconfigurations to move laterally within environments,” he said.
“Remember, state-backed attackers play a long game, embedding themselves within critical networks for months or years,” he said. “Techniques such as Operational Relay Boxes (ORBs) allow them to mask their activity and bypass endpoint detection tools, making attribution extremely difficult.”
No Responses