Feature

How did China hack the UK Ministry of Defence?

China denies hacking UK armed forces' SSCL payroll data services, which are operated by French tech giant Sopra Steria, writes Alex Blair.

The UK MoD ministerial office in Whitehall, London. Credit: William Barton / Shutterstock

China stands accused of hacking the UK Ministry of Defence (MoD) in a major cyberattack on armed forces’ SSCL payroll data system. The data breach compromised the names and bank details of current military personnel and veterans, Sky News reported.  

When addressing the House of Commons on 7 May, UK Defence Secretary Grant Shapps said a “malign actor” was responsible for the attack, but that the government “cannot rule out state involvement”. He added that there was “no evidence that any data has been removed”.  

Shapps has announced a "multi-point plan to support and protect personnel", an MoD spokesperson told Army Technology. 

The MoD has been working urgently to grasp the scale of the cyberattack over the last three days since discovering the data breach. 

The UK government has yet to name a suspected culprit. Former head of the National Cyber Security Centre (NCSC) Ciaran Martin said “there’s nothing unusual or untoward about the government not saying who they think is behind the breach at this stage” in a thread on X.  

“If past form is a guide, bring allies on board before formally accusing another state (or criminal group)”, Martin added, a referring to former US Director of National Intelligence James Clapper’s allegations towards China over the 2015 OPM breach. “Accuracy and allies are more important than speed”.  

Who is responsible for the MoD’s payroll contract?

UK Prime Minister Rishi Sunak, meanwhile, refused to blame China directly, but more broadly said he “set out a very robust policy towards China to protect ourselves against the risks that China, and other countries, pose to us”.  

Sunak’s spokesperson added that “in relation to the specific contractor involved in the incident, a security review of that contractor’s operations is under way and appropriate steps will be taken after that”.  

SSCL, a joint venture between the UK Cabinet Office and French tech company Sopra Steria, holds the overarching payroll contract for MoD payroll data. SSCL is responsible for “delivering the MoD’s vision to transform core payroll, HR and pension services for 230,000 military personnel and reservists and 2 million veterans”, according to Sopra Steria’s website

Labour's Shadow Defence Secretary John Healey claimed that SSCL is the culpable contractor.  

It remains unclear if Sopra Steria directly operates the payroll element of the SSCL contract or if it is overseen by a downstream contract. Shapps, however, added that the breach was due to the “potential failings” of the contractor.  

Army Technology has approached Sopra Steria and SSCL regarding the reported attack and whether its systems were targeted. 

UK Defence Secretary Grant Shapps arriving at Downing Street earlier today (7 May). Credit: Wiktor Szymanowicz / Getty Images

While the attack seems to have followed the pattern of a typical supply chain breach, Sopra Steria has previously been targeted by the Ryuk ransomware variant. In 2020, a Russia-linked ransomware attack was estimated to cost the Paris-headquartered company between $48m and $60m.

What does Beijing stand to gain?

On 7 May, Chinese Foreign Ministry spokesperson Lin Jian described the allegations as “absurd”, stating that Beijing “opposes all forms of cyberattacks”. 

Potentially sensitive data on key MoD individuals is an invaluable asset for Beijing amid rising tensions between China and the US, the UK and other Western powers. 

The allegations of state-sponsored cyber espionage come as Chinese President Xi Jinping visits Europe for the first time in five years. Xi landed in France on 5 May and has committed to “refrain from selling any weapons” to Russia – at least according to French President Emmanuel Macron.

The latest cyberattack also aligns with China’s capability in human intelligence. Beijing’s Ministry of State Security has the widest reach of any global intelligence agency and has frequently used cyberattack strategies to sow doubt and gain leverage over rival states. 

This payroll data breach is the latest in a series of alleged Chinese state-sponsored cyberattacks on UK. 

In March, Deputy Prime Minister Oliver Dowden revealed two incidents, one involving a breach of the UK’s Electoral Commission and the other a series of targeted attacks on China-sceptic MPs. 

Attention remains fixated on the MoD’s response to China’s alleged act of cyber warfare on a military and government institution. 

Go to article: Home | Cybersecurity in the age of AIGo to article: ContentsGo to article: BriefingGo to article: Foreword: Cybersecurity in the age of AI Go to article: Navigating the AI-driven cybersecurity landscapeGo to article: Key trends impacting cybersecurity Go to article: Timeline: a history of cybersecurity Go to article: Explainer: The most common types of cyberattacks Go to article: AI attacks now ‘the main cybersecurity concern’ for businesses across sectors Go to article: The state of cybersecurity: AI and geopolitics mean a bigger threat than ever Go to article: Companies’ own AI applications are ‘a huge cybersecurity problem’ Go to article: Regulators must protect the cybersecurity market from a private equity takeover Go to article: HealthcareGo to article: The impact of cybersecurity on healthcareGo to article: Case studies: cybersecurity in healthcare Go to article: Leading cybersecurity adopters and providers in healthcareGo to article: How healthcare cybercrime is predicted to escalate Go to article: Healthcare cybersecurity risk ‘higher than ever’ due to pandemicGo to article: Industry takes: Keeping healthcare businesses cybersecure Go to article: Rubrik’s Richard Cassidy on cyberattacks and resilience in healthcare organisationsGo to article: Cyberattacks on healthcare: Russia’s tool for mass disruption Go to article: Traceability technologies tighten supply chain fakery Go to article: Could brain-computer interfaces be hacked? Go to article: Deal activity related to cybersecurity in the pharma industry since 2021 Go to article: Deal activity related to cybersecurity in the medical industry since 2021 Go to article: EnergyGo to article: The impact of cybersecurity on the energy sector Go to article: Case studies: cybersecurity in energy Go to article: Leading cybersecurity adopters and providers in power Go to article: Cyberattacks on critical energy infrastructure ‘have increased dramatically’ Go to article: Report: Nuclear industry faces acute cybersecurity threats Go to article: The energy transition means increased attack surfaces for hackers Go to article: Deal activity related to cybersecurity in the power industry since 2021  Go to article: Cyber threat to oil and gas driven by geopolitics, extortion Go to article: How has cybersecurity changed since the Aramco hacks? Go to article: Deal activity related to cybersecurity in the oil and gas industry since 2021  Go to article: MiningGo to article: The impact of cybersecurity on miningGo to article: Case studies: cybersecurity in miningGo to article: Leading cybersecurity adopters and vendors in miningGo to article: Proactive approach to cybersecurity key for minesGo to article: ‘Operational disruption’ the main cybersecurity threat in miningGo to article: Why the mining sector should prioritise investment in cybersecurityGo to article: Will the Northern Sea Route become commercially viable in the near future?Go to article: Deal activity related to cybersecurity in the mining industry since 2021Go to article: DefenceGo to article: The impact of cybersecurity on defence Go to article: Case studies: cybersecurity in defence Go to article: Leading cybersecurity adopters and providers in defence Go to article: Latest news: Ukraine war dominant in cyber operationsGo to article: Sweden’s Nato accession: a cyberattack-filled saga Go to article: Germany recalls ambassador to Russia over cyberattacks Go to article: Why have cyberattacks in Poland spiked since Donald Tusk’s election? Go to article: How did China hack the UK Ministry of Defence? Go to article: Will IoT in defence continue to grow amid cybersecurity concerns? Go to article: AI Innovations wants to use semi-autonomous drones to save lives in Ukraine Go to article: Deal activity related to cybersecurity in the aerospace & defence industry since 2021  Go to article: Consumer GoodsGo to article: The impact of cybersecurity on the consumer goods sector Go to article: Case studies: cybersecurity in the consumer sector Go to article: Leading cybersecurity adopters and providers in consumer goodsGo to article: Latest news: Cybersecurity in packagingGo to article: Cybersecurity rising concern for packaging firms as digitalisation raises threat Go to article: Packaging companies must protect production lines from cyberattacks –analyst Go to article: Cybersecurity boost: Packaging learns from recent IT outages Go to article: Deal activity related to cybersecurity in the packaging industry since 2021  Go to article: Latest news: Cybersecurity in drinks Go to article: Drinks industry faces cybersecurity challenges from smart manufacturing Go to article: Brown-Forman chief talks cybersecurityGo to article: Modern supply chains open up cyber weak spotsGo to article: BankingGo to article: The impact of cybersecurity in banking and payments Go to article: Case studies: cybersecurity in banking Go to article: Leading cybersecurity adopters and providers in banking & payments Go to article: Latest news: cybersecurity in bankingGo to article: AI needed to tackle AI fraud – cybersecurity expert Go to article: What are the main cybersecurity trends of 2024? Go to article: What does the Economic Crime Act mean for foreign investors to the UK? Go to article: Regulators make crypto more attractive to institutions – NYU professor Go to article: Finance firms and ex-spies: strange bedfellows in a war-torn world Go to article: Monzo adds friction to fight fraud—but the features may not be popular with customers Go to article: Looking to stop payment fraud? Modernise your approach to bank validation Go to article: Governments must intervene on anti-fraud funding for real-time payments Go to article: Knowledge sharing puts finance sector among best for cybersecurity Go to article: Deal activity related to cybersecurity in the retail banking industry since 2021  Go to article: Sponsorship opportunitiesGo to article: GlobalData Thematic IntelligenceGo to article: Next issue