UK think tanks hacked by groups in China, cyber-security firm says

Some UK think tanks were hacked by China-based groups last year, a US cyber-security company which said it investigated the breaches has claimed.

Crowdstrike said it saw the repeated targeting of think tanks specialising in international security and defence issues, beginning in April 2017.

The group also investigated a breach of the US Democratic National Committee, allegedly by Russian hackers, in 2016.

The BBC understands that not all of the UK think tanks targeted were breached.

A number of think tanks contacted by the BBC declined to comment - although Crowdstrike said it was called in by some to respond to hack attacks.

It attributes the attacks to groups they call "Panda", which Crowdstrike said are based in China and linked to the Chinese state.

Crowdstrike said Chinese cyber activity increased in 2017 across the world after a relative lull, most likely when cyber actors focused more on domestic issues.

Previously, the California-based group was asked by the Democratic National Committee to investigate US election hacking in the spring of 2016.

Globally, law firms, universities and technology companies were targeted in the early summer of 2017 - while in the UK think tanks were hit.

Dmitri Alperovitch, Crowdstrike's co-founder and chief technology officer, told the BBC that a number of think tanks that work on Chinese policy were targeted "very aggressively".

He said those behind the attacks were trying to steal reports - but also any information about connections to government.

"They do believe the think tanks are very influential both in the US and UK," he said.

"They believe that they may have access to information which is not public.

"In some cases [that] can be true, because you do have a lot of informal channels that these think tank people will have with government officials."

The company's global threat report for 2018 also stated that cyber attackers "stole data after targeting executives and research fellows".

According to a copy of the report provided to the BBC, the victims included "researchers specializing in nuclear policy and the South China Sea, as well as event coordinators responsible for planning an annual security forum."

The UK's focus on increasing trade with China could also be a motivation, Mr Alperovitch said.

"The UK government is trying to forge closer ties with China in terms of trade," he said.

"That's always of interest to the Chinese government, particularly when the US government is taking a hard line."

He added: "They have been very successful at compromising these organisations."

Mr Alperovitch said Crowdstrike would be brought in after an attack to help investigate, "clean up" and protect the organisations going forward.

The company said that even after the Chinese hackers were kicked out, they would try to get back in.

In its report, Crowdstrike said in October 2017 its team noticed a change in tactics - when a Chinese group installed a particular piece of malware on the network of one of the think tanks targeted.

One day later, the same behaviour was observed at a second think tank.

The infrastructure used in the attack was also similar to that used to target a southeast Asian telecommunications company around the same time, Crowdstrike said.

The company described the attempts to target victims in different countries and industries, as well as re-using different tools, as "pervasive and brash".