Another hole in a contractor’s defenses has led to a third party breach of a system containing sensitive government information, as the Ministry of Defense has confirmed that the financial information of some 272,000 UK armed forces personnel has been exposed.
There has been no formal attribution of blame for the attack, but there have been strong intimations that China’s state-backed hackers are behind it. Both active UK armed forces members and veterans are being notified that their names and bank details have been exposed to an unauthorized parties, and in a “few” cases their home addresses as well. The source of the third party breach is a contractor called SSCL, which provides payroll services for multiple UK government entities.
Third party breach follows trend of Chinese APT group attacks
China continues to deny any involvement, but this third party breach is part of a loose string of attacks attributed to their APT groups now dating back at least a decade. This campaign was documented in a March joint report from the US and UK detailing the actions of APT 31 (Zirconium), going back (at minimum) to election interference attempts and other breaches in 2016. The UK has applied sanctions to specific members of the group and accused it of spying on MPs and breaching the Electoral Commission.
Cyber espionage is nothing new, but certain of China’s APT groups appear to have been especially aggressive with foreign critical infrastructure in recent years. It is not entirely clear what they would want with bank details, but it may simply be a means of identifying UK armed forces members for potential targeted spearphishing or other attacks in the future. Some of the private contractors that make up China’s small army of APT teams have also been observed stealing money as a sideline.
It’s not possible at present to gauge what (if any) national security threat the third party breach poses, but the Ministry of Defence announced an eight-point plan to remediate the damage and prevent something similar from happening in the future.
Still unclear how UK armed forces contractor was breached
Reasonable guesses can be made as to how the third party breach unfolded, and the Ministry of Defence did confirm “weaknesses” in the contractor’s systems that the attacker took advantage of. While that usually means that either someone was phished or a critical vulnerability was not patched, the full details will likely be kept quiet due to national security interests due to the involvement of UK armed forces members.
The fallout for victims might be limited to changing account numbers as a precaution, if indeed no other personal information was exposed. The government confirmed that impacted parties are being privately contacted about the breach and offered a free data protection service that will monitor use of their personal information for fraud attempts. This is also apparently having minimal impact on payroll, and some components of the UK armed forces (such as the special forces) were on a different payment system and are not impacted at all.
Still, the incident is concerning as it once again demonstrates how a third party breach can negate the defenses of what should be some of the most secure systems in the world. SSCL services not just the UK armed forces but also police and other public sector entities.