Finnish Parliament espionage hack

In late December 2020, the Parliament of Finland (Eduskunta) disclosed that its internal information systems had been breached in a sophisticated intrusion. The Finnish Security and Intelligence Service later attributed the operation to APT31, a cyber-espionage group linked to the Chinese state — making it one of the most significant attributed acts of foreign espionage against a Nordic legislature.

What happened

The intrusion took place during the autumn and winter of 2020. Attackers gained access to the Parliament's internal IT environment and compromised a number of parliamentary email accounts, including accounts belonging to members of parliament. The breach was characterised by Finnish authorities not as a destructive or financially motivated attack, but as a deliberate intelligence-collection operation designed to harvest sensitive political communications.

The Finnish National Bureau of Investigation (NBI) opened a criminal investigation in late 2020, classifying the suspected offences as aggravated espionage, aggravated computer break-in, and aggravated message interception — among the most serious categories in Finnish criminal law.

Attribution

On 18 March 2021, the Finnish Security and Intelligence Service (Supo) publicly attributed the operation to APT31, a group widely assessed to operate on behalf of the Chinese government. APT31 (also tracked as Zirconium) is known for targeting governments, parliaments, and political figures across Europe and North America to obtain information of political, economic, and military value.

The attribution was notable for its directness: Supo named the specific threat group publicly, a step Western intelligence services have historically been cautious about. Finland's decision reflected growing European willingness to call out state-sponsored cyber operations by name.

Impact

Multiple email accounts of MPs and parliamentary staff were compromised, exposing internal political communications to a foreign intelligence service.
No financial ransom or destructive payload was involved; the damage was the confidentiality compromise of legislative communications.
The incident triggered a hardening of the Parliament's IT security and broader Finnish government cyber-defence posture.

Why it matters

The Eduskunta breach is a textbook case of strategic cyber-espionage against a democratic institution. It demonstrated that national legislatures — not just defence and foreign ministries — are priority targets for state actors seeking insight into a country's political decision-making. Finland's clear, public attribution to APT31 also set a precedent within the EU for naming Chinese state-linked actors, contributing to the bloc's evolving framework for collective attribution and diplomatic response to cyber-espionage.

Timeline

August 1, 2020

APT31 actors begin probing and compromising the Parliament's internal IT infrastructure.

December 28, 2020

The Parliament publicly announces that its information systems were the target of a cyberattack and that several email accounts, including MPs', were compromised.

March 18, 2021

Finland's Security and Intelligence Service (Supo) attributes the operation to the China-nexus group APT31.

March 18, 2021

The National Bureau of Investigation announces a criminal probe into aggravated espionage, aggravated computer break-in, and aggravated message interception.

March 26, 2024

Finnish authorities confirm the conclusion of the investigation, reaffirming APT31 attribution and the espionage motive.

Sources

supo.fihttps://supo.fi/en/-/supo-identified-the-cyber-espionage-operation-against-the-parliament-as-apt31

poliisi.fihttps://poliisi.fi/en/-/police-investigate-involvement-of-apt31-group-in-the-hacking-of-parliament-s-information-systems

therecord.mediahttps://therecord.media/finland-pins-parliament-hack-on-chinese-hacking-group-apt31

thehackernews.comhttps://thehackernews.com/2024/03/finland-blames-chinese-hacking-group.html

Related incidents

EspionageContainedMarch 16, 2026

LA Metro (LACMTA) Iran-linked breach (2026)

Iran-linked hackers breached Los Angeles' transit agency LA Metro in March 2026, stealing at least 700 GB of internal data and disrupting passenger-information and TAP fare systems.

Victim: Los Angeles County Metropolitan Transportation Authority

EspionageResolvedMay 28, 2025

Czech Ministry of Foreign Affairs APT31 cyber-espionage

The Czech government publicly attributed a years-long cyber-espionage campaign against an unclassified network of its Ministry of Foreign Affairs to APT31, a group linked to China's Ministry of State Security. The intrusion, active since at least 2022, targeted designated critical national infrastructure.

Victim: Czech Ministry of Foreign Affairs

EspionageContainedOctober 4, 2024

Salt Typhoon US telecom espionage campaign (2024)

China-linked Salt Typhoon infiltrated at least nine U.S. telecom providers — Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated, Windstream — including the CALEA lawful-intercept systems used for court-authorised wiretaps. Metadata for over a million users was exposed; the U.S. Treasury sanctioned a linked PRC contractor.

Victim: U.S. telecommunications providers (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream)

EspionageContainedMay 15, 2023

Microsoft Storm-0558 signing-key theft and US government email access (2023)

China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations — including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.

Victim: Microsoft customers (US State Department, Department of Commerce, ~25 organisations)