{
	"id": "c5cfdb10-18d5-4a3d-8f83-6ac7a7ebff14",
	"created_at": "2026-04-06T00:11:46.838574Z",
	"updated_at": "2026-04-10T13:12:48.04779Z",
	"deleted_at": null,
	"sha1_hash": "9c9a878d5845aec62d118101e77154901ec34c0c",
	"title": "UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54008,
	"plain_text": "UK holds China state-affiliated organisations and individuals\r\nresponsible for malicious cyber activity\r\nBy Foreign, Commonwealth \u0026 Development Office\r\nPublished: 2024-04-02 · Archived: 2026-04-05 14:01:33 UTC\r\nThe United Kingdom, supported by allies globally, have today identified that Chinese state-affiliated organisations\r\nand individuals were responsible for 2 malicious cyber campaigns targeting democratic institutions and\r\nparliamentarians. Partners across the Indo-Pacific and Europe also express solidarity with the UK’s efforts to call\r\nout malicious cyber activities targeting democratic institutions and electoral processes.\r\nFirst, the UK can reveal today that the National Cyber Security Centre (NCSC) – a part of GCHQ – assesses that\r\nthe UK Electoral Commission systems were highly likely compromised by a Chinese state-affiliated entity\r\nbetween 2021 and 2022.\r\nSecond, NCSC assesses it is almost certain that the China state-affiliated Advanced Persistent Threat Group 31\r\n(APT31) conducted reconnaissance activity against UK parliamentarians during a separate campaign in 2021. The\r\nmajority of those targeted were prominent in calling out the malign activity of China. No parliamentary accounts\r\nwere successfully compromised.\r\nThis is the latest in a clear pattern of malicious cyber activity by Chinese state-affiliated organisations and\r\nindividuals targeting democratic institutions and parliamentarians in the UK and beyond.\r\nIn response, the Foreign, Commonwealth and Development Office has today summoned the Chinese Ambassador\r\nto the UK, and sanctioned a front company and 2 individuals who are members of APT31. Concurrently, the\r\nUnited States is designating the same persons and entity for malicious cyber activity. We greatly value our close\r\ncoordination and cooperation with the US in addressing these threats.  This sends a clear message that we will not\r\ntolerate malicious cyber activity against democratic institutions and parliamentarians.\r\nForeign Secretary Lord Cameron said:\r\nIt is completely unacceptable that China state-affiliated organisations and individuals have targeted our\r\ndemocratic institutions and political processes. While these attempts to interfere with UK democracy\r\nhave not been successful, we will remain vigilant and resilient to the threats we face.\r\nI raised this directly with Chinese Foreign Minister Wang Yi and we have today sanctioned 2\r\nindividuals and one entity involved with the China state-affiliated group responsible for targeting our\r\nparliamentarians.\r\nWe will always defend ourselves from those who seek to threaten the freedoms that underpin our values\r\nand democracy. One of the reasons that it is important to make this statement is that other countries\r\nshould see the detail of threats that our systems and democracies face.\r\nhttps://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity\r\nPage 1 of 4\n\nDeputy Prime Minister Oliver Dowden said:\r\nThe UK will not tolerate malicious cyber activity targeting our democratic institutions. It is an absolute\r\npriority for the UK government to protect our democratic system and values. The Defending\r\nDemocracy Taskforce continues to coordinate work to build resilience against these threats.\r\nI hope this statement helps to build wider awareness of how politicians and those involved in our\r\ndemocratic processes around the world are being targeted by state-sponsored cyber operations.\r\nWe will continue to call out this activity, holding the Chinese government accountable for its actions.\r\nHome Secretary James Cleverly said:\r\nIt is reprehensible that China sought to target our democratic institutions.\r\nChina’s attempts at espionage did not give them the results they wanted and our new National Security\r\nAct has made the UK an even harder target. Our upcoming elections, at local and national level, are\r\nrobust and secure.\r\nDemocracy and the rule of law is paramount to the United Kingdom. Targeting our elected\r\nrepresentatives and electoral processes will never go unchallenged.\r\nThis statement today sees the international community once again call on the Chinese government to demonstrate\r\nits credibility as a responsible cyber actor. The UK will continue to call out malicious cyber activity that infringes\r\non our national security and democracy.\r\nThe UK believes these behaviours are part of large-scale espionage campaign. We have been clear that the\r\ntargeting of democratic institutions is completely unacceptable. To date, cumulative attempts to interfere with UK\r\ndemocracy and politics have not been successful. The UK has bolstered its defences against these types of\r\nincidents. The Defending Democracy Taskforce and the National Security Act 2023 give government, Parliament,\r\nthe security services, and law enforcement agencies the tools they need to disrupt hostile activity. The NCSC has\r\nalso published guidance to help high-risk individuals, including parliamentarians, to bolster their resilience to\r\ncyber threats, as well as advice to help organisations improve their security.\r\nBackground\r\nSanctions\r\nThe individuals and entity being designated in the UK are:\r\nWuhan Xiaoruizhi Science and Technology Company Limited, which is associated with APT31, operating\r\non behalf of the Chinese Ministry of State Security (MSS) as part of China’s state-sponsored apparatus\r\nZhao Guangzong, who is a member of APT31, operating on behalf of the Chinese Ministry of State\r\nSecurity (MSS), and has engaged in cyber activities targeting officials, government entities, and\r\nparliamentarians in the UK and internationally\r\nNi Gaobin who is a member of APT31, operating on behalf of the Chinese Ministry of State Security\r\n(MSS), and has engaged in cyber activities targeting officials, government entities, and parliamentarians in\r\nhttps://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity\r\nPage 2 of 4\n\nthe UK and internationally\r\nElectoral Commission\r\nThe Electoral Commission oversees elections and regulates political finance in the UK. It is independent of UK\r\ngovernment and reports to the UK, Welsh and Scottish Parliaments. Between late 2021 and October 2022 the\r\nElectoral Commission’s systems were compromised by a China state-affiliated cyber actor.\r\nAs the Electoral Commission stated in 2023, the malicious cyber activity has not had an impact on electoral\r\nprocesses, has not affected the rights or access to the democratic process of any individual, nor has it affected\r\nelectoral registration. The Electoral Commission has taken steps to secure its systems against future activity. When\r\nthe compromise was discovered, the Commission worked with NCSC and security specialists to investigate the\r\nincident, and acted to secure its systems to reduce the risk of future attacks.\r\nTargeting of UK parliamentarians by APT31\r\nNCSC assesses it is highly likely that the China state-affiliated cyber actor APT31 conducted reconnaissance\r\nactivity against UK parliamentarians during a separate campaign in 2021. Parliamentary Cybersecurity Team\r\nidentified this reconnaissance and were able to confirm that no accounts had been compromised.\r\nAPT31 was one of a number of Chinese state-affiliated organisations the UK publicly linked to the Chinese\r\nMinistry of State Security in 2021 following the hacking of Microsoft Exchange Server globally. Similar\r\nstatements were issued by allies in condemning these actions.\r\nFurther information\r\nearlier this year, NCSC and partners issued a warning about state- sponsored cyber attackers hiding on\r\ncritical infrastructure networks, and released an advisory on China state-sponsored cyber actors\r\ncompromising and maintaining persistent access to US critical infrastructure\r\nin December 2023, the UK also condemned attempted Russian cyber interference in politics and\r\ndemocratic processes\r\nin May 2023, NCSC and partners issued a warning around China state-sponsored cyber activities targeting\r\nCritical National Infrastructure (CNI) networks\r\nan asset freeze prevents any UK citizen, or any business in the UK, from dealing with any funds or\r\neconomic resources which are owned, held or controlled by the designated person. It also prevents funds or\r\neconomic resources being provided to or for the benefit of the designated person. UK financial sanctions\r\napply to all persons within the territory and territorial sea of the UK and to all UK persons, wherever they\r\nare in the world\r\na travel ban means that the designated person must be refused leave to enter or to remain in the United\r\nKingdom, providing the individual is an excluded person under section 8B of the Immigration Act 1971\r\nThere were a total of 16 supportive statements, including Australia, European Union, New Zealand,\r\nSlovakia and United States.\r\nhttps://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity\r\nPage 3 of 4\n\nSource: https://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-ac\r\ntivity\r\nhttps://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity"
	],
	"report_names": [
		"uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434306,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c9a878d5845aec62d118101e77154901ec34c0c.pdf",
		"text": "https://archive.orkl.eu/9c9a878d5845aec62d118101e77154901ec34c0c.txt",
		"img": "https://archive.orkl.eu/9c9a878d5845aec62d118101e77154901ec34c0c.jpg"
	}
}