Czech Republic Attributes 2022 Cyberattack to APT31 Hackers Associated with China

The Czech Republic has formally accused a threat actor linked to the People’s Republic of China (PRC) of executing cyber attacks against its Ministry of Foreign Affairs. In an official statement, the government revealed that a malicious campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs was traced back to China. The full scale of the breach remains undetermined at this time.

The reported malicious activities spanned from 2022 and impacted an institution recognized as a critical infrastructure component of the Czech Republic.

The attack has been attributed to a state-sponsored threat group identified as APT31, associated with various threat clusters such as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly known as Zirconium). This hacking group, believed to be linked to the Ministry of State Security (MSS) as well as the Hubei State Security Department, has been active at least since 2010, according to assessments by the U.S. Department of Justice (DoJ).

Bronze Vinewood utilizes a range of sophisticated tools and methodologies to infiltrate target networks while leveraging publicly accessible code or file-sharing platforms for command and control (C2) operations. This approach effectively conceals C2 traffic among benign web browsing activities, complicating detection efforts.

Research from Secureworks, a subsidiary of Sophos, indicates that this entity has a focused interest in organizations connected to government or defense supply chains, as well as those providing services to these sectors.

In March 2024, the U.S. Department of Justice indicted seven individuals associated with APT31 for their involvement in extensive cyber espionage campaigns against both domestic and international critics, journalists, corporations, and governmental officials. These actions were aimed at furthering the foreign intelligence and economic espionage objectives of the MSS.

Similarly, during this period, the Police of Finland identified the same threat actor as responsible for a cyber attack on the country’s Parliament in 2020.

More recently, ESET disclosed in its APT Activity Report that APT31 targeted a Central European government entity in December 2024, deploying a backdoor known as NanoSlate for espionage purposes. While the Czech Republic is a Central European nation, the relationship between these attacks remains unclear.

Upon inquiry, a Slovak cybersecurity firm expressed that it could neither confirm nor deny the reported incident.

In response to these developments, the Government of the Czech Republic condemned the malicious cyber campaign, asserting that it undermines the credibility of the People’s Republic of China and conflicts with its public assertions. The government further emphasized that such activities violate acceptable State conduct in cyberspace, as endorsed by United Nations member states. It urged China to adhere to these international norms and to prevent such attacks in the future.