The Czech Republic on Wednesday formally accused a threat actor associated with the People’s Republic of China (PRC) of targeting its Ministry of Foreign Affairs.
In a public statement, the government said it identified China as the culprit behind a malicious campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs. The extent of the breach is presently not known.
“The malicious activity […] lasted from 2022 and affected an institution designated as Czech critical infrastructure,” it added.
The attack has been attributed to a state-sponsored threat actor tracked as APT31, which also overlaps with threat clusters known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium).
The hacking group, publicly associated with the Ministry of State Security (MSS) and the Hubei State Security Department, is assessed to be active since at least 2010, per the U.S. Department of Justice (DoJ).
Bronze Vinewood is known to employ a variety of tools and techniques to gain access to target environments, while also relying on public code or file-sharing websites for its command and control (C2) domains to complicate network-based detection and intersperse C2 traffic amid legitimate web browsing activity.
According to Sophos-owned Secureworks, the adversarial crew has a particular focus on organizations operating in government or defense supply chains, or providing services to those organizations.
In March 2024, the DoJ indicted seven hackers associated with APT31, accusing them of engaging in sweeping cyber espionage attacks aimed at U.S. and foreign critics, journalists, businesses, and political officials to advance MSS’s foreign intelligence and economic espionage objectives.
Around the same time, the Police of Finland called out the threat actor for orchestrating a cyber attack targeting the country’s Parliament in 2020.
As recently as this month, ESET revealed in its latest APT Activity Report that APT31 targeted a Central European government entity in December 2024 to deploy an espionage backdoor referred to as NanoSlate. While Czechia is a Central European nation, it’s currently not clear if these attacks are related.
When reached for comment, the Slovak cybersecurity company told The Hacker News that it “cannot confirm or deny this report.”
Strongly condemning the malicious cyber campaign, the Government of the Czech Republic said “such behavior undermines the credibility of the People’s Republic of China and contradicts its public declarations.”
The government further said the activities are in violation of responsible State behavior in cyberspace as endorsed by members of the United Nations. It called on China to adhere to these norms and refrain from staging such attacks in the future.
