A Hong Kong pro-democracy activist reportedly tortured in China may have been the source through which China-backed hackers accessed personal emails of Canadian parliamentarians, a global legislative coalition director told a House of Commons committee.
The committee is investigating a 2021 cyberattack by the Chinese hacker group Advanced Persistent Threat Group 31 (APT31) that targeted legislative members of IPAC, including 18 Canadian parliamentarians. Genuis, who serves as the Canadian chair at IPAC, asked about how the hackers obtained his personal email and the IPAC email distribution list.
“I do not know how they obtained that, but I do have one possible theory: unfortunately, someone who used to volunteer for us, a man named Andy Li, was arrested in China under the National Security Law and imprisoned in Hong Kong. He awaits sentencing for National Security Law crimes, some of which are associated with IPAC,” de Pulford said in response.
“We know that they [Chinese authorities] breached his system, and they may have got our distribution list from him,” he added. “Very disturbingly, when he was apprehended, he was taken to Shenzhen prison in China and reportedly tortured.”
In March, Li appeared as a prosecution witness during the trial of Hong Kong media mogul Jimmy Lai, alleging that Lai financed advertising campaigns to support the 2019 pro-democracy protests in the city. However, the United Nations Special Rapporteur on Torture, Alice Jill Edwards, expressed deep concerns about Li’s testimony, arguing that it should not be admitted as evidence since it “may have been obtained as a result of torture or other unlawful treatment.”
Cyberattack
The APT31 targeted 120 legislators from 18 countries who are members of the IPAC, de Pulford told the committee. However, they became aware of the cyberattack only recently, following the unsealing of an indictment by the U.S. Department of Justice in March, which charged seven hackers associated with the group.
According to the indictment, the hackers sent “thousands of malicious tracking email messages” with embedded hyperlinks to their targets. Once the recipients opened the emails and clicked the links, the hackers could steal their information, such as the victims’ locations, IP addresses, network details, and specific devices used to access their email accounts. These emails were sent to more than 400 unique accounts associated with IPAC members, the indictment stated.
During the Sept. 26 committee meeting, de Pulford expressed concerns about parliamentarians being kept uninformed about the cyberattack, noting that it would prevent them from protecting themselves and sensitive information, such as “high-risk transnational repression cases” that many of them handle.
“Telling parliamentarians that this attack was not successful or not serious is questionable at best and misleading at worst,” he said.