Bottom Line Up Front: The Czech Republic has summoned Chinaβs ambassador over a sophisticated three-year cyber espionage campaign that targeted the Czech Foreign Ministryβs unclassified communications network, marking the latest escalation in a global pattern of Chinese state-sponsored cyber attacks attributed to the notorious APT31 group.
1/2 We are exposing cybercriminals. China has been persistently trying to undermine our resilience and democracy. Through cyberattacks, information manipulation, and propaganda, it interferes in our society - and we must defend ourselves against it. pic.twitter.com/CKpmjXt0sE
β Czech Ministry of Foreign Affairs (@CzechMFA) May 28, 2025
The Diplomatic Confrontation
On Wednesday, May 28, 2025, the Czech Republic took the unprecedented step of officially confronting China over what it termed βa malicious cyber campaignβ targeting a network used for unclassified communication at its Foreign Affairs ministry. Foreign Minister Jan LipavskΓ½ personally summoned the Chinese ambassador to Prague, delivering a stern diplomatic message that βsuch activities have serious impacts on mutual relationsβ.
The confrontation represents more than a bilateral diplomatic spatβit signals a broader hardening of European attitudes toward Chinese cyber aggression and marks a significant moment in the ongoing digital cold war between democratic nations and authoritarian regimes.
Ministry of Foreign Affairs of the Czech Republic
The Technical Details of the Attack
The attacks started during the countryβs 2022 EU presidency and were perpetrated by the cyber espionage group APT31, which Czech officials have βhigh degree of certaintyβ was responsible for the breach. The timing is particularly significantβtargeting the Czech Republic during its EU presidency would have given attackers potential access to sensitive diplomatic communications and insights into European Union decision-making processes.
The foreign ministry said in a statement the attack started in 2022 and targeted βone of the unclassified networksβ of the ministry, though officials have not disclosed the specific information that may have been compromised. The Czech government has since implemented a new communications system to address the vulnerabilities exploited in the attack.
Understanding APT31: Chinaβs Elite Cyber Unit
Advanced Persistent Threat 31 (APT31), also known as Zirconium, Judgment Panda, and Violet Typhoon, represents one of Chinaβs most sophisticated state-sponsored hacking groups. This group was allegedly run by Chinaβs Ministry of State Security and targeted millions of people, mostly in the U.S. and Britain, for more than a decade including officials, lawmakers, activists, academics and journalists, and firms ranging from defence contractors to a U.S. smartphone maker.
The APT31 Group was part of a cyberespionage program run by the MSSβs Hubei State Security Department, located in the city of Wuhan. The group operates through a front company, Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ), from at least 2010 until January 2024, demonstrating the sophisticated infrastructure China has developed to conduct cyber espionage operations.
FortuneKarel Janicek,The Associated Press
APT31βs Global Operations
The scope of APT31βs activities extends far beyond the Czech Republic. The defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies. Some of this activity resulted in successful compromises of the targetsβ networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years.
The group was first publicly identified in 2016 and is believed to have operated since 2010, but its most devastating attack came in 2021, when APT 31 and another state-backed group took advantage of a flaw in Microsoftβs email server system, Exchange, to steal personal data. Around 250,000 email servers were affected by the hack, including an estimated 7,000 in the UK.
The groupβs tactics are particularly insidious. The more than 10,000 malicious emails that the defendants and others in the APT31 Group sent to these targets often appeared to be from prominent news outlets or journalists, demonstrating their sophisticated social engineering capabilities.
The United States stands with π¨πΏβs attribution of the malicious cyber activities of the China-affiliated cyber actor APT31. The U.S. denounces these actions and calls upon the CCP to immediately cease any and all such activities. https://t.co/6pBVLsJ0C0
β Bureau of Cyberspace and Digital Policy (@StateCDP) May 28, 2025
International Response and Condemnation
The Czech accusations have triggered a coordinated international response, highlighting the collective concern among democratic nations about Chinese cyber activities.
NATOβs Position
NATO issued a strong statement expressing solidarity with the Czech Republic. βWe observe with increasing concern the growing pattern of malicious cyber activities stemming from the Peopleβs Republic of China,β NATO said, indicating that the alliance views these attacks as part of a broader strategic threat rather than isolated incidents.
European Unionβs Stance
EU foreign policy chief Kaja Kallas condemned the attack in unequivocal terms. βThis attack is an unacceptable breach of international norms,β Kaja Kallas, the EUβs foreign policy chief, said. βThe EU will not tolerate hostile cyber actionsβ.
EU member states have increasingly been the target of cyber attacks from China in recent years and China should do more to prevent them, the European Union said on Wednesday. Kallas emphasized that βWe call upon all states, including China, to refrain from such behaviour. States should not allow their territory to be used for malicious cyber activitiesβ.
Importantly, Ms Kallas said the EU was ready to take further action if needed to prevent, deter or respond to malicious behaviour in cyberspace, suggesting that the bloc is prepared to escalate its response to Chinese cyber aggression.
Chinaβs Response and Denial
The Chinese Embassy dismissed the Czech accusations as βgroundless.β It said China fights βall forms of cyber attacks and does not support, promote or tolerate hacker attacksβ. This response follows Chinaβs standard playbook of categorical denial when confronted with evidence of state-sponsored cyber activities.
Chinaβs embassy in Prague called on the Czech side to end its βmicrophone diplomacyβ, attempting to frame the Czech governmentβs public attribution as diplomatic grandstanding rather than a legitimate security concern.
Historical Context of Czech-China Cyber Tensions
This is not the first time the Czech Republic has been targeted by sophisticated cyber attacks. In a separated cyberattack in 2017, the email account of then Czech Foreign Minister LubomΓr ZaorΓ‘lek and the accounts of dozens of ministry officials were successfully hacked. Officials said the attack was sophisticated, and experts believed it was done by a foreign state, which was not named then.
The pattern suggests sustained interest from foreign intelligence services in Czech diplomatic communications, likely driven by the countryβs strategic position within NATO and the EU, as well as its increasingly assertive stance on issues affecting Chinese interests.
Czech-Taiwan Relations as a Factor
Prague has recently angered Beijing by fostering close ties with Taiwan as high-profile Czech delegations, including the parliament speakers, have visited the island while Taiwanese officials came to Prague several times. These diplomatic initiatives directly challenge Chinaβs βOne Chinaβ policy and may have motivated increased surveillance of Czech government communications.
China is trying to keep Taipei isolated on the world stage and prevents any sign of international legitimacy for the island. It sees such visits as an infringement of the one-China policy which Prague officially pursues, just like the rest of the EU.
The Broader Cyber Threat Landscape
The Czech incident represents part of a broader escalation in state-sponsored cyber activities targeting democratic institutions worldwide. The Czech Security Information Office (BIS) singled out China as a threat to security in its 2024 annual report, indicating that Czech intelligence services have been tracking Chinese activities for some time.
US Legal Actions Against APT31
The international community has not limited its response to diplomatic protests. The United States and Britain filed charges and imposed sanctions on a company and individuals tied to a Chinese state-backed hacking group named APT31. U.S. authorities have offered rewards of up to $10 million for information on the hackers, demonstrating the seriousness with which Western governments view these threats.
An indictment was unsealed today charging seven nationals of the Peopleβs Republic of China (PRC) with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses and political officials.
Implications for International Cybersecurity
The Czech Republicβs decision to publicly attribute the attack and summon the Chinese ambassador represents a significant escalation in how democratic nations are responding to state-sponsored cyber threats. This approach reflects several important trends:
Attribution as a Policy Tool
By publicly naming APT31 and Chinaβs Ministry of State Security as responsible for the attacks, the Czech Republic is contributing to a broader Western strategy of βnaming and shamingβ state sponsors of cyber attacks. This approach aims to impose political and diplomatic costs on countries that engage in cyber espionage.
Collective Defense Mechanisms
The coordinated response from NATO and the EU demonstrates the growing effectiveness of collective defense mechanisms in cyberspace. Rather than treating cyber attacks as purely bilateral issues, democratic allies are increasingly responding as a bloc to impose greater costs on attackers.
Escalating Consequences
Ms Kallas said the EU was ready to take further action if needed to prevent, deter or respond to malicious behaviour in cyberspace, suggesting that the current diplomatic response may be only the beginning of a more comprehensive strategy to counter Chinese cyber activities.
Looking Forward: The Future of Cyber Deterrence
The Czech Republicβs confrontation with China over APT31βs activities marks a potential turning point in how democratic nations respond to state-sponsored cyber attacks. The incident demonstrates several key principles that are likely to shape future cyber deterrence strategies:
Collective Attribution: The coordinated response from the Czech Republic, NATO, and the EU shows that attribution of cyber attacks is becoming a multilateral effort rather than a unilateral decision.
Public Transparency: By openly discussing the technical details of the attack and the evidence linking it to Chinese state actors, the Czech government is contributing to a broader strategy of transparency designed to impose reputational costs on attackers.
Escalatory Responses: The warning from EU officials about potential further action suggests that the international community is prepared to move beyond diplomatic protests to more concrete deterrent measures.
The Czech Republicβs bold stance against Chinese cyber aggression may serve as a template for how smaller nations can effectively respond to sophisticated state-sponsored threats by leveraging collective defense mechanisms and international solidarity. As cyber attacks continue to evolve as tools of statecraft, the international communityβs response to the APT31 campaign will likely influence how future incidents are handled and deterred.
The message from Prague is clear: state-sponsored cyber attacks will no longer be met with silence or purely private diplomatic protests. Instead, they will be met with public attribution, international coordination, and escalating consequencesβmarking a new phase in the ongoing struggle to establish norms and deterrence in cyberspace.
