Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31

• Czechia blamed China for a massive cyber intrusion targeting the country’s Ministry of Foreign Affairs.
• Joint analysis allowed authorities to achieve a high degree of certainty regarding the actor responsible for the breach.
• As a result, the 2022 cyberattack was attributed to the Chinese state-backed APT31 threat actor.

The Czech government formally attributed a significant cyberattack on its Ministry of Foreign Affairs to the Chinese state-sponsored hacking group APT31, an advanced persistent threat commonly associated with the Chinese Ministry of State Security. 

The malicious cyber campaign was active from 2022, focusing on breaching an unclassified network at the Czech Ministry of Foreign Affairs. 

This incident, which targeted unclassified networks within the ministry and impacted the nation’s critical infrastructure, underscores persistent concerns regarding state-based cyberespionage activity in Europe.

APT31, which also overlaps with threat clusters known as Violet Typhoon (formerly Zirconium), Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, and Red Keres, is recognized for sophisticated espionage operations against political institutions, government entities, and organizations holding sensitive geopolitical data. 

Numerous Western intelligence agencies have previously linked the APT31 group to intrusions targeting critical infrastructure and diplomatic communications.

The May 28, 2025, Czech attribution was the result of an extensive, multi-agency investigation conducted by the Security Information Service, Military Intelligence, the Office for Foreign Relations and Information, and the National Cyber and Information Security Agency (NÚKIB).

The Czech government unequivocally condemned the attack, stating that such activities fundamentally undermine the credibility of the People’s Republic of China and contradict public declarations about responsible state conduct in cyberspace. 

The government’s statement emphasized that state-sponsored attacks on critical infrastructure run counter to the norms of responsible behavior endorsed by UN member states.

The incident has drawn public support from the European Union (EU), individual EU member countries, and NATO allies, reflecting a broader solidarity response in the face of state-driven cyber threats targeting allied infrastructure.

The U.S. Treasury sanctioned seven APT31-linked hackers for targeting critical infrastructure in America.