Chinese Hackers Likely Got MPs’ Personal Emails From Volunteer Tortured in China, Committee Told

Chinese Hackers Likely Got MPs’ Personal Emails From Volunteer Tortured in China, Committee Told
Luke de Pulford, executive director of the Inter-Parliamentary Alliance on China, speaks during an interview in Taipei, Taiwan, on July 27, 2024. AP Photo/Chiang Ying-ying
Andrew Chen
Updated:
0:00

A Hong Kong pro-democracy activist reportedly tortured in China may have been the source through which China-backed hackers accessed personal emails of Canadian parliamentarians, a global legislative coalition director told a House of Commons committee.

Luke de Pulford, executive director of the global coalition Inter-Parliamentary Alliance on China (IPAC), made the comment on Sept. 26 in response to a question from Conservative MP Garnett Genuis during his testimony before the Standing Committee on Procedure and House Affairs.

The committee is investigating a 2021 cyberattack by the Chinese hacker group Advanced Persistent Threat Group 31 (APT31) that targeted legislative members of IPAC, including 18 Canadian parliamentarians. Genuis, who serves as the Canadian chair at IPAC, asked about how the hackers obtained his personal email and the IPAC email distribution list.

“I do not know how they obtained that, but I do have one possible theory: unfortunately, someone who used to volunteer for us, a man named Andy Li, was arrested in China under the National Security Law and imprisoned in Hong Kong. He awaits sentencing for National Security Law crimes, some of which are associated with IPAC,” de Pulford said in response.

“We know that they [Chinese authorities] breached his system, and they may have got our distribution list from him,” he added. “Very disturbingly, when he was apprehended, he was taken to Shenzhen prison in China and reportedly tortured.”

Li, a computer programmer, played a key role in a crowdfunding campaign to rally support for the 2019 pro-democracy protests in Hong Kong. He gained international attention after being one of 12 Hongkongers who attempted to flee to Taiwan by speedboat in August 2020. The group was intercepted by Chinese authorities at sea and detained at Shenzhen city.
In March, Li appeared as a prosecution witness during the trial of Hong Kong media mogul Jimmy Lai, alleging that Lai financed advertising campaigns to support the 2019 pro-democracy protests in the city. However, the United Nations Special Rapporteur on Torture, Alice Jill Edwards, expressed deep concerns about Li’s testimony, arguing that it should not be admitted as evidence since it “may have been obtained as a result of torture or other unlawful treatment.”

Cyberattack

The APT31 targeted 120 legislators from 18 countries who are members of the IPAC, de Pulford told the committee. However, they became aware of the cyberattack only recently, following the unsealing of an indictment by the U.S. Department of Justice in March, which charged seven hackers associated with the group.

According to the indictment, the hackers sent “thousands of malicious tracking email messages” with embedded hyperlinks to their targets. Once the recipients opened the emails and clicked the links, the hackers could steal their information, such as the victims’ locations, IP addresses, network details, and specific devices used to access their email accounts. These emails were sent to more than 400 unique accounts associated with IPAC members, the indictment stated.

Genuis had previously told the House of Commons that, following the 2021 cyberattack, the FBI alerted IPAC about the attempt and notified allied governments. However, he said the bureau did not directly inform non-U.S. legislators due to “rules regarding sovereignty.” Genius and other affected Canadian MPs have criticized Canadian authorities for not informing targeted parliamentarians for nearly a year after receiving U.S. intelligence about the threat.
In an April 30 statement to The Epoch Times, Mathieu Gravel, spokesperson for the House of Commons Speaker’s Office, said the administration had “determined that the risk-mitigation measures in place had successfully prevented any attack,” adding, “There were no cybersecurity impacts to any Members or their communications.” Genuis disputed this claim, noting that his personal email was targeted.

During the Sept. 26 committee meeting, de Pulford expressed concerns about parliamentarians being kept uninformed about the cyberattack, noting that it would prevent them from protecting themselves and sensitive information, such as “high-risk transnational repression cases” that many of them handle.

“Telling parliamentarians that this attack was not successful or not serious is questionable at best and misleading at worst,” he said.