Czech Ministry of Foreign Affairs APT31 cyber-espionage

The Czech government publicly attributed a years-long cyber-espionage campaign against an unclassified network of its Ministry of Foreign Affairs to APT31, a group linked to China's Ministry of State Security. The intrusion, active since at least 2022, targeted designated critical national infrastructure.

On 28 May 2025, the Czech government publicly attributed a sustained cyber-espionage campaign against its Ministry of Foreign Affairs to APT31, a state-backed threat actor associated with China's Ministry of State Security. The attribution — backed by the EU and NATO — marked one of the most significant Czech public callouts of Chinese state hacking to date.

What happened

According to the Czech National Cyber and Information Security Agency (NÚKIB) and a joint government statement, the malicious activity began no later than 2022 and targeted one of the unclassified networks of the Ministry of Foreign Affairs — an institution designated as Czech critical infrastructure. APT31 (also tracked as Zirconium and Judgment Panda) has a long record of targeting government and political entities across EU and NATO states for intelligence collection.

The intrusion was uncovered and assessed through an extensive joint investigation conducted by the Czech Security Information Service (BIS), Military Intelligence, the Office for Foreign Relations and Information, and NÚKIB, which concluded with a high degree of certainty that APT31 was responsible.

Impact

The compromise affected an unclassified network of the Ministry of Foreign Affairs, meaning the most sensitive classified systems were reportedly not breached.
As an espionage operation, the campaign aimed at intelligence collection rather than disruption — there was no ransom, no data dump, and no operational outage.
The targeting of a foreign ministry's diplomatic communications carried significant national-security and counter-intelligence implications.

International response

The attribution drew immediate diplomatic backing. EU member states and NATO allies expressed solidarity with the Czech Republic and unanimously called on China to behave responsibly and adhere to the UN norms of responsible state behaviour in cyberspace to which it had voluntarily committed. The EU's senior diplomatic leadership condemned the campaign as a clear and unacceptable violation of international norms. The Czech Republic summoned China's ambassador in protest.

Why it matters

The case exemplifies the trend of public attribution as a strategic tool: rather than responding covertly, the Czech Republic chose to name APT31 openly, marshalling allied support to impose diplomatic and reputational costs on a state sponsor. It reinforced that diplomatic ministries are persistent espionage targets, that even unclassified networks hold intelligence value, and that coordinated EU/NATO attribution has become a core instrument of Western cyber statecraft.

Timeline

January 1, 2022

Malicious cyber activity against an unclassified network of the Czech Ministry of Foreign Affairs begins, later attributed to APT31.

January 1, 2024

A joint investigation by Czech intelligence services and NÚKIB works to identify the actor and secure the compromised network.

May 28, 2025

The Czech government publicly attributes the campaign to APT31, associated with China's Ministry of State Security.

May 28, 2025

EU member states and NATO allies issue statements of solidarity, calling on China to adhere to UN norms of responsible state behaviour.

May 1, 2025

The Czech Republic summons the Chinese ambassador in protest over the attack.

Sources

nukib.gov.czhttps://nukib.gov.cz/en/infoservis-en/news/2263-the-czech-government-has-publicly-attributed-cyberattacks-to-china-actor-apt31-linked-to-the-chinese-ministry-of-state-security-has-targeted-the-infrastructure-of-the-czech-ministry-of-foreign-affairs/

mzv.gov.czhttps://mzv.gov.cz/jnp/en/issues_and_press/press_releases/statement_by_the_government_of_the_czech.html

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/czechia-blames-china-for-ministry-of-foreign-affairs-cyberattack/

securityaffairs.comhttps://securityaffairs.com/178399/apt/czech-republic-accuses-chinas-apt31-of-a-cyberattack-on-its-foreign-ministrys-unclassified-network.html

Related incidents

EspionageContainedMarch 16, 2026

LA Metro (LACMTA) Iran-linked breach (2026)

Iran-linked hackers breached Los Angeles' transit agency LA Metro in March 2026, stealing at least 700 GB of internal data and disrupting passenger-information and TAP fare systems.

Victim: Los Angeles County Metropolitan Transportation Authority

EspionageContainedOctober 4, 2024

Salt Typhoon US telecom espionage campaign (2024)

China-linked Salt Typhoon infiltrated at least nine U.S. telecom providers — Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated, Windstream — including the CALEA lawful-intercept systems used for court-authorised wiretaps. Metadata for over a million users was exposed; the U.S. Treasury sanctioned a linked PRC contractor.

Victim: U.S. telecommunications providers (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream)

EspionageContainedMay 15, 2023

Microsoft Storm-0558 signing-key theft and US government email access (2023)

China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations — including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.

Victim: Microsoft customers (US State Department, Department of Commerce, ~25 organisations)

EspionageResolvedJuly 26, 2022

Greek Predatorgate surveillance scandal

Greece's 'Predatorgate' wiretapping scandal exposed the use of Intellexa/Cytrox's Predator spyware and parallel legal surveillance against journalists, politicians and officials, toppling intelligence chiefs and ending in landmark 2026 convictions.

Victim: Greek journalists, politicians and state officials