Belgium’s cyber security agency links China to spear phishing attack on MP

Belgium’s cyber security agency has linked China-sponsored hackers to an attack on a prominent politician, as European governments become increasingly willing to challenge Beijing over alleged cyber offences.

Samuel Cogolati, a Belgian MP, was named by authorities last month as being the subject of a cyber attack around January 2021 when he wrote a resolution to warn of “crimes against humanity” against Uyghur Muslims in China.

In a letter seen by the Financial Times, the Centre for Cyber Security Belgium (CCB) wrote that it had been informed that a specific Chinese state actor called “APT31” was most probably behind the so-called spear phishing attack.

The cyber authority’s willingness to name a Chinese state actor, and to link them to a specific attack, comes as European cyber agencies lose their former reticence to call out China over suspected incidents.

Belgium’s foreign ministry last year took the unusual step of asking China’s government to rein in its malicious cyber activity. The EU also warned of Chinese attacks in 2021.

Christopher Ahlberg, co-founder of cyber intelligence firm Recorded Future, said such malicious activity by China-linked groups had “shifted towards Europe” in recent years.

But countries often declined to attribute attacks openly to China, Ahlberg added, fearing upsetting relations with a major economic power.

“For a small country like Belgium, it’s pretty gutsy. It was pretty much non-existent for European countries to attribute attacks to China four to five years ago. The consistent complaints have become harder for China to ignore,” Ahlberg added.

While Cogolati was drafting the Uyghur resolution, he received an email from a fake news organisation claiming to have information on human rights abuses in China. Cogolati only realised the significance of the message after it was flagged by Belgium’s cyber security agency.

“We have reasons to believe that this series of emails came from APT31, a threat actor associated with China and who has shown interest in people who have criticised the actions of the Chinese Communist party,” wrote the CCB.

The CCB later told the FT that a source had linked APT 31 to the activity but that its involvement “could not be confirmed by CCB” with complete certainty.

Cogolati, who confirmed the alert from the CCB, said his main aim now was to “shed full light on the extent of China’s cyber attacks against my country”.

The email attack Cogolati received was in the form of a spear phishing campaign, in which an attacker designs an email to target a specific group of victims.

APT31’s signature move is to add a “tracking pixel”, often used in marketing, into an image attached to an email, which sends back general data about the victim’s IT set-up. The attackers will then follow up with further emails with malicious links or attachments personalised for the victim’s system.

A Belgian parliamentary hearing in May 2021 with Uyghur victims had to be postponed after parliament was shut down by a mass cyber attack.

“We do not encourage, support or connive at cyber attacks. We reject the Belgian side’s irresponsible assertion,” said a Chinese foreign ministry spokesperson in response to Belgium’s 2022 allegations.

Responding to a request for comment on the latest Belgian claims, China’s embassy in Belgium said: “We reject the Belgian side’s irresponsible assertion that ‘Chinese hacker groups’ carried out the ‘malicious cyber activities’.”