Around 40 China hawks only found out they had been targeted by Beijing hackers after reading about it in a US press release, it has emerged.
Ministers have been accused of not being “fully honest” with MPs about the scale of the Chinese state-backed operation, after further information was disclosed by Washington.
On Monday, Oliver Dowden, the deputy prime minister, announced that as well as a major hack on the Electoral Commission, a group of MPs had been spied on by China.
Four MPs and one peer were called in for a briefing with Parliament’s head of security, where they were given additional information about Beijing’s attempts to target them.
But on Monday evening, the US Attorney’s Office issued a press release that detailed how the Chinese group called APT31 – which is subject to new sanctions by the US and UK – sent “malicious tracking-link emails” to government officials across the world who have been critical of Beijing.
Among the identified targets were email accounts of members of the Inter-Parliamentary Alliance on China (Ipac), a global group of parliamentarians with hawkish views on China, which is co-chaired by Iain Duncan Smith, the former Tory leader.
“The targets included every European Union member of Ipac, and 43 United Kingdom parliamentary accounts, most of whom were members of Ipac or had been outspoken on topics relating to the [Chinese] government,” according to the US Attorney’s Office.
Tim Loughton MP, a former minister and China hawk, said his fellow Ipac members were furious that they had only found out about this via a US press release rather than from the British Government.
“They weren’t fully honest with us. We only found out from America that 43 people were hacked,” Mr Loughton said.
“The head of security in Parliament owes them an explanation – did they even know? Why did the US seem to know and not them?”
Ipac is a network of legislators around the world but its secretariat is in London. Luke De Pulford, founder and executive director of Ipac, said that what the Government announced on Monday “only scratched the surface”.
He added: “We have a lot of MPs wondering why they weren’t told about it. We got a little heads up at the time about it from another European government but we didn’t know anything of this scale had taken place until yesterday when it came out in the US press release.
“No one warned us. The US thinks the whole thing was focused on us and our memberships. We are scratching our heads as to why the security services haven’t told us. They are meant to be protecting us.
“A bunch of MPs felt they were out of the woods yesterday but it turns out they were in fact targets of an attack. They want to know if they are at risk and they want to be reassured. We need more support, we need enhanced digital support for people at greater risk and much better cyber security.”
A government source stressed that the 43 “parliamentary accounts” mentioned by the US Attorney’s Office were not necessarily all MPs and included a number of parliamentary staff.
They added that the responsibility for notifying MPs about possible cyber breaches lay with the parliamentary security team, who are independent of the Government.
A second source, with knowledge of MP security arrangements, said these were “intentions rather than successful” attempts to hack people’s accounts.
It came after the US and UK exposed a global Chinese hacking plot that targeted White House staff and the state department as well as British MPs and the Electoral Commission.
The attack on the UK’s electoral watchdog was identified in October 2022, but the hackers had first been able to access the commission’s systems for more than a year since August 2021.
It exposed the personal data of 40 million voters as the commission held the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.