Czech Republic accuses China’s APT31 of a cyberattack on its Foreign Ministry
May 28, 2025
The Czech government condemned China after linking cyber espionage group APT31 to a cyberattack on its critical infrastructure.
The Czech government strongly condemned China after the cyber espionage group APT31 was linked to a cyberattack targeting the nation’s critical infrastructure.
The Czech government condemned China after APT31 hackers infiltrated a ministry’s unclassified system in 2022 and remained undetected. A joint investigation by Czech intelligence agencies led to a “high-degree of certainty” in attributing the attack to China. Officials said the cyber campaign threatens national security and contradicts China’s public statements.
“Following the national attribution process, the Government of the Czech Republic has identified the People´s Republic of China as being responsible for malicious cyber campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs.” reads the joint statement issued by Czech intelligence and agencies. “The malicious activity, which lasted from 2022 and affected an institution designated as Czech critical infrastructure, was perpetrated by the cyberespionage actor APT31 that is publicly associated with the Ministry of State Security.”
Czech intelligence and cybersecurity agencies jointly investigated the incident, reaching a high-confidence conclusion about the actor behind the attack.
“The Government of the Czech Republic strongly condemns this malicious cyber campaign against its critical infrastructure. Such behavior undermines the credibility of the People´s Republic of China and contradicts its public declarations. These activities are contrary to the norms of responsible State behaviour in cyberspace as endorsed by all UN Members.” continues the statement. “We call on the People´s Republic of China to adhere to these norms and principles, to refrain from such attacks and to take all appropriate measures to address this situation.”
The EU, its Member States, and NATO Allies expressed strong support and solidarity with Czechia following the cyberattack.
The statement did not include any technical details on the intrusions or what was stolen, but public reports say the affected systems have since been rebuilt and isolated.
The European Union issued a separate statement condemning the APT31 activity and warned that Chinese hackers have ramped up attacks against member states.
“We strongly condemn malicious cyber activities,” the EU said. “We call upon all states, including China, to refrain from such behaviour, to respect international law and to adhere to the UN norms and principles, including those related to critical infrastructure.”
The EU also noted that states should not allow their territory to be used for malicious cyber activities.
APT31, also known as Zirconium or Judgment Panda, has been operational for more than a decade, stealing diplomatic cables, industrial designs, and political strategy documents from Europe, North America, and Asia.
Last year the United States and United Kingdom unsealed criminal charges and sanctions against members of the group for what prosecutors described as a broad effort to “facilitate the MSS’s political-and economic-intelligence objectives.”
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has slapped sanctions on hackers linked to APT31 and Wuhan, a China-based technology company serving as a front for multiple malicious cyber operations.
The Czech government’s announcement received backing from both the EU and NATO. EU foreign affairs chief Kaja Kallas directly called out China, noting that several EU member states have also linked similar cyber activities to Beijing.
“We strongly condemn malicious cyber activities, which are contrary to the United Nations framework of responsible state behaviour in cyberspace, and which all UN Member States have endorsed. We call upon all states, including China, to refrain from such behaviour, to respect international law and to adhere to the UN norms and principles, including those related to critical infrastructure. In this context, we reiterate that states should not allow their territory to be used for malicious cyber activities.” reads the press release published by the Council of the EU. “The European Union reaffirms its strong commitment to prevent, deter and respond to malicious behaviour in cyberspace and stands ready to take further action when necessary. “
NATO’s North Atlantic Council stood firmly with Czechia, condemning cyberattacks that threaten national security, democracy, and infrastructure. The council also raised serious concerns about the growing trend of malicious cyber activity coming from China.
“We strongly condemn malicious cyber activities intended to undermine our national security, democratic institutions and critical infrastructure.” reads the North Atlantic Council’s statement. “The malicious cyber activity targeting the Czech Republic underscores that cyberspace is contested at all times. We observe with increasing concern the growing pattern of malicious cyber activities stemming from the People’s Republic of China.”
China denied the allegations in a statement issued by its embassy in the Czech Republic.
China-linked cybereaspionage group APT31 (aka Zirconium, Judgment Panda, and Red Keres) was involved in multiple cyber espionage operations, it made the headlines in 2022 after the Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool, years before it was leaked online by Shadow Brokers hackers.
In July 2021, the French national cyber-security agency ANSSI warned of ongoing attacks against a large number of French organizations conducted by the Chine-linked APT31 cyberespionage group. The state-sponsored hackers were hijacking home routers to set up a proxy mesh of compromised devices to conceal its attack infrastructure.
The cyberespionage group targeted entities in EU, the United States, Canada in previous campaigns. In August 2021, the APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT31)
