MOD targeted by supply chain attack

A cyberattack on the Ministry of Defence (MoD) by China has seen a massive data breach affecting 270,000 serving personnel, reservists and veterans.

Reports suggest the attack on the armed forces’ payroll system has been going on around three weeks, but was discovered last week after investigators started tracking “a pattern of unusual activity”.

The missing information includes identities and bank details as well as addresses and national insurance numbers. There is no evidence, at present, that the data had been exploited, but service personnel will be offered advice on monitoring their accounts.

“While payroll systems primarily manage the distribution of wages, they also hold an immense amount of personal employee information which, if compromised, could lead to significant financial losses through fraud or misdirected funds,” explained Melanie Pizzey, CEO and founder of the Global Payroll Association.

“It is a supply chain attack that we are seeing increasingly more across hardware, software and services,” said Pete Cooper MSc FRAeS, former deputy director of cyber security, Government Security Group at the Cabinet Office. In the post, Cooper led the Cyber team that developed and launched the UK Government Cyber Security Strategy as well as coordinating cross-government cyber incidents.

“Attackers will always go for the easiest pathway to achieve their aims, if that is through a supplier to the organisation that they are targeting, they can then pivot into what their ultimate objective is, be that data or onwardly compromising other organisations.

Bolstering cyber defences

Data released in January shows the MoD’s IT systems are the most vulnerable of any Whitehall department. The MoD has 11 ‘red rated’ systems, translating to the lowest possible security score. A red rating means that the system is “at a critical level of risk, where the likelihood of encountering issues or failures is significant, and the potential impact of these issues could be severe.”

In 2023, Moody’s Analytics was awarded a contract by the MoD to assess risks throughout its supply chain.

Cooper said the most powerful thing compromised organisations can do to bolster their cyber resilience is have a discussion with board members, and with suppliers.

“Only by doing this can you start understanding the risk that you face as it’s possible to inherit risk from the organisations around you,” he said. “The Government Cyber Strategy uses the phrase ‘Defend as one’ to emphasise that this is all about how we collectively defend ourselves against this sort of incident. Bring your commercial partners into that conversation and thinking to build out some mutual support and resilience.”

He also said it was important to generate an organisational culture of engaging on cybersecurity and resilience to find the right approaches and policies for an organisation.

“Make it a topic of conversation and look for the advice that is out there. NCSC and a lot of diverse voices around the community do a great job in laying out really clear guidance as to what organisations of any size and scale could and should be doing when it comes to cybersecurity and resilience.”

Pete Cooper will speak at Think Digital Identity and Cybersecurity for Government on June 11. Book your place here.