National Cyber and Information Security Agency

The Czech Government Has Publicly Attributed Cyberattacks to China: Actor APT31 Linked to the Chinese Ministry of State Security Has Targeted the Infrastructure of the Czech Ministry of Foreign Affairs

On 28 May 2025, the Government of the Czech Republic announced a national attribution of a malicious cyber campaign conducted by actor APT31, which is associated with the Chinese Ministry of State Security. Since at least 2022, this group has been attacking one of the unclassified networks of the Czech Ministry of Foreign Affairs.

‘As this institution is considered to be critical national infrastructure, NÚKIB together with all three Czech intelligence services conducted a comprehensive and thorough investigation. Its goal was to both identify the origin of the attack and, in cooperation with the Czech Ministry of Foreign Affairs, secure their compromised network and prevent similar incidents in the future,’ stated Lukáš Kintr, Director of the National Cyber and Information Security Agency (NÚKIB).

The conclusions of the analysis conducted by NÚKIB, Military Intelligence, the Office for Foreign Relations and Information, and the Security Information Service clearly indicate that the People’s Republic of China is behind this long-term malicious campaign, most likely through the actor APT31 (also known as Zirconium or Judgment Panda), which has been linked to numerous attacks against foreign political and other targets, among others, in EU and NATO countries.

The Czech Republic has also been cooperating with international partners in this area for a long time. Following intensive consultations, EU Member States and NATO Allies expressed solidarity with the Czech Republic in response to the revealed malicious campaign. Both organizations also unanimously called on the People’s Republic of China to behave responsibly and to adhere to the UN norms it had voluntarily committed to.

‘Cyber threats know no borders, and that is why international cooperation is such a key element of our response. It is an essential foundation of cybersecurity and of any effective defense against increasingly sophisticated cyberattacks. The serious, malicious activity we faced in this case reflects a repeated pattern of behavior by the Chinese group APT31, which had previously targeted our Allies. That is why we shared relevant information about the incident with our partners in the EU and NATO, but also with key partners in the Indo-Pacific, particularly through our network of cyber attachés. We deeply appreciate the cooperation and support we received from them,’ added the Director of NÚKIB.

Statement by the Government of the Czech Republic

Joint Statement by the EU

Joint Statement by NATO

2025-05-28

The National Cyber and Information Security Agency of the Czech Republic Co-Seals Publications on SIEM and SOAR Platforms with the Australian Signals Directorate and International Partners

The initiative includes collaboration with international partners such as the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI), the Canadian Centre for Cyber Security (CCCS), the National Cyber Security Centre of New Zealand (NCSC-NZ), the United Kingdom’s National Cyber Security Centre (NCSC-UK), Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Japan Computer Emergency Response Team (JPCERT), the Republic of Korea’s National Intelligence Services (NIS), and Cyber Security Agency of Singapore (CSA).

The publication series consists of 3 publications:

Implementing SIEM and SOAR platforms – Executive guidance defines SIEM and SOAR platforms, explains their value and also their challenges, and provides high-level recommendations for implementing them. It is targeted at executives, but can be used by any organization that is considering whether and how to implement a SIEM and/or SOAR. Implementing SIEM and SOAR platforms – Practitioner guidance provides high-level guidance for cyber security practitioners and describes how a SIEM/SOAR can enhance visibility, detection and response, as well as principles for procurement, establishment, and maintenance of those platforms. Priority logs for SIEM ingestion: Practitioner guidance provides practitioners with detailed logging guidance for specific categories of log sources, such as from Endpoint Detection and Response tools, Windows/Linux operating systems, network devices, and Cloud deployments

“I am pleased that NÚKIB was able to contribute to the second co-sealed series of documents led by the ASD, particularly its focus on SIEM and SOAR platforms, technologies that are increasingly being adopted across the Czech Republic. The recommended principles reflect the long-standing security standards that NÚKIB has consistently promoted. It is essential for organisations to commit not only to initial investments in security technologies but also to continuous support for the people and processes that operate them. A SIEM or SOAR solution that is not ingesting relevant data, and is not actively monitored and tuned, is unlikely to detect or respond to threats effectively, “said Lukáš Kintr, Director of NÚKIB.

These publications demonstrate the collective effort of global partners to strengthen cybersecurity and protect critical infrastructure from evolving cyber threats. Read the publications here.

2025-05-27

NÚKIB and Czech intelligence services, together with the NSA and FBI, warn of a Russian cyber campaign targeting entities supporting Ukraine

The National Cyber and Information Security Agency (NÚKIB), together with the Security Information Service and Military Intelligence of the Czech Republic, has joined partners from the United States, the United Kingdom, Germany, Poland, Australia, Canada, Denmark, Estonia, France, and Netherlands in issuing the advisory about a long-term cyber campaign conducted by Russia-backed actors. These attacks are primarily targeting logistics and technology companies involved in foreign aid to Ukraine.

The campaign is being conducted by a unit of Russian military intelligence known as GRU No. 26165 (also referred to as Fancy Bear and Forrest Blizzard, among other names). This group has been carrying out espionage operations for over two years against entities in the defence and transportation sectors, including air, maritime, and rail transport. They also target government institutions and commercial companies in NATO member states, Ukraine, and neighbouring countries.

The attackers use well-known tactics such as password spraying, targeted phishing emails, changes to mailbox settings in Microsoft Exchange environments, and exploitation of software vulnerabilities, including Outlook (NTLM) and WinRAR. These methods allow them to gain access to systems, where they then install malware to maintain persistence and steal data.

Unit 26165 also actively monitored the transport of aid to Ukraine by accessing IP cameras located at border crossings, railway hubs, and other strategic points. As part of the observed campaign, they primarily targeted IP cameras using the RTSP protocol, employing publicly known default login credentials or brute-force techniques to gain access. The collected data included static images and metadata from the cameras.

An analysis of more than 10,000 targeted cameras revealed that the majority (81%) were located in Ukraine. Others were found in Romania, Poland, Hungary, and Slovakia.

GRU actors also focused on individuals responsible for coordinating transportation and companies cooperating with the targeted organizations. They exploited trusted business relationships to further infiltrate target networks. They also identified entities involved in the production of components for industrial control systems (ICS), which are used, for example, in railway transport.

The report warns that these activities are likely to continue. Technology and logistics companies, as well as organizations in the transportation sector, should therefore strengthen monitoring, actively hunt for signs of compromise (threat hunting), and implement appropriate protective measures against these sophisticated threats. Indicators of compromise, along with the attackers’ tactics and techniques, can be found in the full version of the document here.

2025-05-21

Director of the NÚKIB Lukáš Kintr discussed continued cooperation on cybersecurity with President Trump's administration in the U.S.

Lukáš Kintr, Director of the National Cyber and Information Security Agency (NÚKIB), and Roman Pačka, Director of the Cabinet, recently completed a working visit to the United States, where they held talks on cybersecurity cooperation with representatives of the new American administration.

The NÚKIB delegation held a series of meetings with representatives of U.S. security institutions, including the White House National Security Council and the House Select Committee on Strategic Competition between the U.S. and China. The delegation then travelled to San Francisco, where, starting Monday, April 28, they participated in the world’s leading cybersecurity event, the RSA Conference, and spoke at the International Cyber Security Forum alongside top U.S. administration officials and other international partners.

During the meetings in Washington, the U.S. side praised the Czech Republic’s long-standing and proactive approach to cybersecurity. The discussions also reaffirmed the importance of ongoing cooperation, which has been developing since President Trump’s first administration and has led, among other things, to the adoption of the so-called Prague Proposals on the security of 5G infrastructure.

‘Meetings with our American counterparts confirmed the exceptional nature of our relations and the mutual interest in continuing the intensive cooperation that NÚKIB has been successfully building with the U.S. for several years. I believe that our mutual collaboration in the field of cybersecurity — including timely information sharing and joint responses to cyberattacks — will remain one of the key pillars of Czech-American relations in the years to come,’ said NÚKIB Director Lukáš Kintr.

Key topics of discussion included, in particular, threats posed by state-sponsored actors targeting critical infrastructure — including the Volt Typhoon and Salt Typhoon campaigns — the use of trusted and secure technologies, and the impact of rapidly evolving artificial intelligence on cybersecurity. The discussions also covered issues related to the cyber protection of energy infrastructure and the cybersecurity of connected vehicles. In all cases, these are crucial topics that resonate on both sides of the Atlantic.

‘We continue to share a common understanding with the United States regarding cyber threats and the need to counter malicious activities not only from China and Russia. The U.S. remains a key strategic partner for us, and we aim to further deepen our cooperation in the future — particularly in areas such as post-quantum cryptography and security and cooperation in the Indo-Pacific region,’ said Cabinet Director Roman Pačka.

The discussions also addressed the strengthening of cyber capabilities and preparedness for major cyber incidents. In this regard, the Czech Republic plays a very active role within the North Atlantic Alliance (NATO). Since 2020, NÚKIB has had a Cyber Attaché stationed directly at NATO headquarters in Brussels, and in early April, NÚKIB organized a cyber exercise focused on the so-called Virtual Cyber Incident Support Capability (VCISC), which also included participation from U.S. representatives. In addition, the Czech Republic will host the fourth NATO Cyber Champions Summit in 2026.

‘The NÚKIB delegation was one of the first high-level European delegations focused on cybersecurity to be received by the new U.S. administration in Washington this year. The several days of meetings brought, among other things, a series of new and concrete impulses for the further development of our cooperation, which we will jointly pursue in the coming months,’ said Berta Jarošová, NÚKIB Cyber Attachée at the Embassy in Washington, who coordinated the visit program in the U.S.

2025-05-02