On Sunday, Reuters’ Colin Packham reported on an Australian intelligence report blaming China’s Ministry of State Security for cyberattacks on the country’s parliament and three biggest political parties ahead of a general election in May. This conclusion was reportedly kept quiet for fear of antagonizing the country’s largest trading partner:

The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said. The Australian government has not disclosed who it believes was behind the attack or any details of the report.

[…] Australian authorities felt there was a “very real prospect of damaging the economy” if it were to publicly accuse China over the attack, one of the people said.

[…] The timing of the attack, three months ahead of Australia’s election, and coming after the cyber-attack on the U.S. Democratic Party ahead of the 2016 U.S. election, had raised concerns of election interference, but there was no indication that information gathered by the hackers was used in any way, one of the sources said.

[…] On a visit to Sydney last month, U.S. Secretary of State Mike Pompeo delivered thinly veiled criticism of Australia’s approach after Foreign Minister Marise Payne said Canberra would make decisions toward China in based on “our national interest”.

[…] “You can sell your soul for a pile of soybeans, or you can protect your people,” he told reporters at a joint appearance with Payne in Sydney. [Source]

But hacking into Parliament/parties mths before an election isn’t run-of-the-mill espionage. It can also be categorised as interference as it undermines trust in democratic institutions & info stolen has many future uses (see: https://t.co/9XEW0A1Aqa + https://t.co/SD4X5SRMfN)

— Danielle Cave (@DaniellesCave) September 16, 2019

The publicization of the intent for nonattribution in public here (avoiding adverse economic outcomes) is notable, I think. If there were a leaked memo that simply said “This is run-of-the-mill” and was reported, it’d be less damaging all around.

— Ankit Panda (@nktpnd) September 16, 2019

And everything should be funnelled through this lens. But policy outputs must keep ??’s interests front & centre. The end result, no public attribution, is a good outcome for the CCP. But is it a good outcome for ??? Is it in our interests to consistently treat China differently?

— Danielle Cave (@DaniellesCave) September 16, 2019

China’s economic clout also appeared to complicate the response to hacking revealed by a recent report on security vulnerabilities in rival Apple’s iPhones. According to Google’s “Project Zero” research arm, “a small collection of hacked websites […] were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day. There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.” The attackers were able “to steal private data like iMessages, photos and GPS location in real-time” from compromised devices. Project Zero’s Ian Beer warned that “this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”

Project Zero did not identify either the targets, attackers, or websites involved, but TechCrunch’s Zack Whittaker later cited “sources familiar with the matter” who “said the websites were part of a state-backed attack — likely China — designed to target the Uyghur community.” Forbes’ Thomas Brewster independently confirmed this, adding that Google’s own Android and Microsoft’s Windows OSes had also been affected. A subsequent report from security firm Volexity provided broader details on “Large-Scale Surveillance and Exploitation of Uyghurs,” including intrusions into Gmail accounts, and examined possible ties between the Project Zero attacks and its own previous findings.

Apple’s eventual response to the Google report confirmed that the campaign had targeted Uyghurs, but did not mention China:

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs. [Source]

The company’s statement was widely criticized for focusing more on protecting the iPhone’s recently dented reputation for world-leading security than on reckoning with the impact of this particular breach, which took place amid an ongoing mass detention campaign against Uyghurs in Xinjiang. The company has faced long-running criticism for its timidity toward Chinese authorities.

The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like “A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users.” https://t.co/ACMhtpN53H

— Nicholas Weaver (@ncweaver) September 6, 2019

One of the consequences of this report is this conversation in the last few days about whether or not there has been a fundamental sea change and now Android is more secure than iOS. Both companies are hyperaware of the perceptions here and neither will take a change lightly.

— Patrick Howell O’Neill (@HowellONeill) September 6, 2019

There’s a lot of worthwhile debate to be had over Apple’s statement about this hacking campaign. One important thing it did do is confirm earlier reporting about Uighur targets. One thing it didn’t do is use the word China. https://t.co/GGDOwu88ZW pic.twitter.com/NrsrJwkPmv

— Patrick Howell O’Neill (@HowellONeill) September 6, 2019

Forget today’s post from Apple, I wonder who in Cupertino made the original decision that an unprecedented hacking campaign against a beseiged ethnic minority by one of the world’s foremost powers didn’t warrant anything public?

— Patrick Howell O’Neill (@HowellONeill) September 6, 2019

Second, the word “China” is conspicuously absent, once again demonstrating the value the PRC gets from their leverage over the world’s most valuable public company.

To be fair, Google’s post also didn’t mention China. Their employees likely leaked attribution on background. pic.twitter.com/IIs0Sa9XIm

— Alex Stamos (@alexstamos) September 6, 2019

Apple has also faced criticism over illegal labor practices ahead of its new iPhone launch this week.

Overseas Uyghurs were also the target of separate attacks reported by Reuters earlier this month on telecom networks in Turkey, Kazakhstan, India, Thailand, Malaysia, and other parts of Central and Southeast Asia “frequently used as transit routes by Uighurs to travel between Xinjiang and Turkey in what human rights activists say is an attempt to escape state persecution.”

Elsewhere, the Hong Kong-based online forum LIHKG, which has been a key organizing tool for ongoing protests, suffered a Great Cannon-style attack late last month. According to Global Voices’ Oiwan Lam, “what happened to LIHKG is not a single incident, a majority of independent media outlets and citizen forums in Hong Kong are subjected to state-level DDoS attacks from mainland China.”

Meanwhile, espionage charges have been filed against a senior intelligence official in the Royal Canadian Mounted Police, Canada’s not invariably mounted federal police force. Cameron Ortis allegedly stole “terabytes” of sensitive data in order to sell it to “a foreign entity” with “potentially devastating” effects on Canada’s national interests. China has not been publicly identified as Ortis’ customer, but his academic and work experience and reported Mandarin proficiency have fueled suspicion in that direction.