National Cyber and Information Security Agency

NÚKIB and Microsoft Confirm Cybersecurity Cooperation by Signing a Memorandum

At the international security forum Globsec, held on Thursday, June 12, 2025, in Prague, representatives of the National Cyber and Information Security Agency (NÚKIB) and Microsoft signed the Memorandum of Understanding. The memorandum was signed on behalf of NÚKIB by its director Lukáš Kintr, and on behalf of Microsoft by Amy Hogan-Burney, Vice President, and Michal Stachník, General Manager of Microsoft Czech Republic and Slovakia.

This memorandum represents a significant step forward in developing cooperation between the public and private sectors in cybersecurity, contributing to the overall strengthening of the Czech Republic’s cyber resilience. It builds on the shared commitment of both NÚKIB and Microsoft to foster a safer and more resilient cyberspace. It also provides a framework for practical collaboration in areas such as sharing expertise, supporting education, and leveraging emerging technologies, including artificial intelligence, to defend against cyber threats. The memorandum further confirms the intent of both parties to engage in a regular dialogue and jointly enhance cybersecurity capacities.

‘Cooperation with technology leaders such as Microsoft is the key to strengthening the cybersecurity of the Czech Republic,’ emphasized Lukáš Kintr, Director of NÚKIB. ‘The signed memorandum sets a clear framework for knowledge sharing and joint threat response. It is another concrete step towards greater resilience of our state in cyberspace,’ he said, adding: ‘Protection against cyberattacks is not possible without trust and open communication. Timely information sharing and swift coordination have already prevented several attacks in the past. NÚKIB has long been building a community of people and institutions who see cybersecurity as a shared responsibility, and this collaboration is a clear example of that.’

Amy Hogan-Burney, Microsoft’s Global Director for Customer Security and Trust, praised the recent public disclosure of the cyberattack by a Chinese actor targeting the Czech Ministry of Foreign Affairs, and the open communication, which helps build trust – something she called vital in the current geopolitical landscape. She added: ‘Our goal is to share as much information as possible and to be transparent about attacks on our systems or those of our customers. It is very important that governments take the same approach. Only then can we effectively deter future attacks. I personally look forward to continuing our cooperation with you.’

Michal Stachník, General Manager of Microsoft Czech Republic and Slovakia, also highlighted the importance of long-term partnerships with strong institutions like NÚKIB. He mentioned today’s key geopolitical topics as well: ‘The signing of this memorandum builds upon our commitments to Europe, including the expansion of cloud and AI infrastructure aimed at strengthening digital sovereignty and economic competitiveness across the continent. Microsoft has also made a legal commitment to protect Europe’s digital resilience – even in the face of geopolitical pressures, including legal challenges against any attempt to disrupt services in Europe – and has reinforced its focus on compliance with European laws and data protection.’

2025-07-02

The Czech Government Has Publicly Attributed Cyberattacks to China: Actor APT31 Linked to the Chinese Ministry of State Security Has Targeted the Infrastructure of the Czech Ministry of Foreign Affairs

On 28 May 2025, the Government of the Czech Republic announced a national attribution of a malicious cyber campaign conducted by actor APT31, which is associated with the Chinese Ministry of State Security. Since at least 2022, this group has been attacking one of the unclassified networks of the Czech Ministry of Foreign Affairs.

‘As this institution is considered to be critical national infrastructure, NÚKIB together with all three Czech intelligence services conducted a comprehensive and thorough investigation. Its goal was to both identify the origin of the attack and, in cooperation with the Czech Ministry of Foreign Affairs, secure their compromised network and prevent similar incidents in the future,’ stated Lukáš Kintr, Director of the National Cyber and Information Security Agency (NÚKIB).

The conclusions of the analysis conducted by NÚKIB, Military Intelligence, the Office for Foreign Relations and Information, and the Security Information Service clearly indicate that the People’s Republic of China is behind this long-term malicious campaign, most likely through the actor APT31 (also known as Zirconium or Judgment Panda), which has been linked to numerous attacks against foreign political and other targets, among others, in EU and NATO countries.

The Czech Republic has also been cooperating with international partners in this area for a long time. Following intensive consultations, EU Member States and NATO Allies expressed solidarity with the Czech Republic in response to the revealed malicious campaign. Both organizations also unanimously called on the People’s Republic of China to behave responsibly and to adhere to the UN norms it had voluntarily committed to.

‘Cyber threats know no borders, and that is why international cooperation is such a key element of our response. It is an essential foundation of cybersecurity and of any effective defense against increasingly sophisticated cyberattacks. The serious, malicious activity we faced in this case reflects a repeated pattern of behavior by the Chinese group APT31, which had previously targeted our Allies. That is why we shared relevant information about the incident with our partners in the EU and NATO, but also with key partners in the Indo-Pacific, particularly through our network of cyber attachés. We deeply appreciate the cooperation and support we received from them,’ added the Director of NÚKIB.

Statement by the Government of the Czech Republic

Joint Statement by the EU

Joint Statement by NATO

2025-05-28

The National Cyber and Information Security Agency of the Czech Republic Co-Seals Publications on SIEM and SOAR Platforms with the Australian Signals Directorate and International Partners

The initiative includes collaboration with international partners such as the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI), the Canadian Centre for Cyber Security (CCCS), the National Cyber Security Centre of New Zealand (NCSC-NZ), the United Kingdom’s National Cyber Security Centre (NCSC-UK), Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Japan Computer Emergency Response Team (JPCERT), the Republic of Korea’s National Intelligence Services (NIS), and Cyber Security Agency of Singapore (CSA).

The publication series consists of 3 publications:

Implementing SIEM and SOAR platforms – Executive guidance defines SIEM and SOAR platforms, explains their value and also their challenges, and provides high-level recommendations for implementing them. It is targeted at executives, but can be used by any organization that is considering whether and how to implement a SIEM and/or SOAR. Implementing SIEM and SOAR platforms – Practitioner guidance provides high-level guidance for cyber security practitioners and describes how a SIEM/SOAR can enhance visibility, detection and response, as well as principles for procurement, establishment, and maintenance of those platforms. Priority logs for SIEM ingestion: Practitioner guidance provides practitioners with detailed logging guidance for specific categories of log sources, such as from Endpoint Detection and Response tools, Windows/Linux operating systems, network devices, and Cloud deployments

“I am pleased that NÚKIB was able to contribute to the second co-sealed series of documents led by the ASD, particularly its focus on SIEM and SOAR platforms, technologies that are increasingly being adopted across the Czech Republic. The recommended principles reflect the long-standing security standards that NÚKIB has consistently promoted. It is essential for organisations to commit not only to initial investments in security technologies but also to continuous support for the people and processes that operate them. A SIEM or SOAR solution that is not ingesting relevant data, and is not actively monitored and tuned, is unlikely to detect or respond to threats effectively, “said Lukáš Kintr, Director of NÚKIB.

These publications demonstrate the collective effort of global partners to strengthen cybersecurity and protect critical infrastructure from evolving cyber threats. Read the publications here.

2025-05-27

NÚKIB and Czech intelligence services, together with the NSA and FBI, warn of a Russian cyber campaign targeting entities supporting Ukraine

The National Cyber and Information Security Agency (NÚKIB), together with the Security Information Service and Military Intelligence of the Czech Republic, has joined partners from the United States, the United Kingdom, Germany, Poland, Australia, Canada, Denmark, Estonia, France, and Netherlands in issuing the advisory about a long-term cyber campaign conducted by Russia-backed actors. These attacks are primarily targeting logistics and technology companies involved in foreign aid to Ukraine.

The campaign is being conducted by a unit of Russian military intelligence known as GRU No. 26165 (also referred to as Fancy Bear and Forrest Blizzard, among other names). This group has been carrying out espionage operations for over two years against entities in the defence and transportation sectors, including air, maritime, and rail transport. They also target government institutions and commercial companies in NATO member states, Ukraine, and neighbouring countries.

The attackers use well-known tactics such as password spraying, targeted phishing emails, changes to mailbox settings in Microsoft Exchange environments, and exploitation of software vulnerabilities, including Outlook (NTLM) and WinRAR. These methods allow them to gain access to systems, where they then install malware to maintain persistence and steal data.

Unit 26165 also actively monitored the transport of aid to Ukraine by accessing IP cameras located at border crossings, railway hubs, and other strategic points. As part of the observed campaign, they primarily targeted IP cameras using the RTSP protocol, employing publicly known default login credentials or brute-force techniques to gain access. The collected data included static images and metadata from the cameras.

An analysis of more than 10,000 targeted cameras revealed that the majority (81%) were located in Ukraine. Others were found in Romania, Poland, Hungary, and Slovakia.

GRU actors also focused on individuals responsible for coordinating transportation and companies cooperating with the targeted organizations. They exploited trusted business relationships to further infiltrate target networks. They also identified entities involved in the production of components for industrial control systems (ICS), which are used, for example, in railway transport.

The report warns that these activities are likely to continue. Technology and logistics companies, as well as organizations in the transportation sector, should therefore strengthen monitoring, actively hunt for signs of compromise (threat hunting), and implement appropriate protective measures against these sophisticated threats. Indicators of compromise, along with the attackers’ tactics and techniques, can be found in the full version of the document here.

2025-05-21