In late April 2025, the Czech Republic did something no other EU member state had done before: it publicly named China as the source of a years-long cyber-espionage campaign that had penetrated its Ministry of Foreign Affairs. The formal attribution, issued by the Czech National Cyber and Information Security Agency (NUKIB), identified the threat group APT31 and tied it directly to China’s Ministry of State Security. Within weeks, the EU issued a collective condemnation, and by early 2026, CERT-EU was warning that the Czech breach fit a broader pattern of Chinese state-sponsored intrusions stretching across European diplomatic networks. Separately, threat intelligence reporting has flagged activity consistent with Chinese state-sponsored operations in South America, though no government in the region has confirmed those claims on the record.
What the Czech Republic revealed
NUKIB’s public statement was unusually specific. It did not merely flag a “state-sponsored” threat or gesture vaguely at Beijing. The agency named APT31 and identified its sponsor as a defined branch of Chinese intelligence. That level of precision carries weight because it stakes Prague’s diplomatic relationship with Beijing on the accuracy of the claim.
According to the Czech Ministry of Foreign Affairs’ official declaration, the APT31 campaign began in 2022 and targeted the ministry’s unclassified communications network. A second target, described only as critical infrastructure, was also affected, though Prague has not publicly identified it. The “unclassified” label can be misleading: these systems carry internal correspondence, scheduling data, and policy drafts that give foreign intelligence services a detailed map of how a government makes decisions.
Prague escalated beyond technical disclosure. The Czech government summoned the Chinese ambassador, a diplomatic step reserved for serious breaches of sovereignty. The government’s declaration framed the intrusion as an unacceptable violation and explicitly attributed it to a Chinese state actor, moving the matter from quiet cyber defense into open foreign policy confrontation.
Europe’s collective response and the wider APT31 record
The EU’s High Representative for Foreign Affairs and Security Policy issued a formal cyber statement on May 28, 2025, condemning the malicious activity against Czechia on behalf of all member states. The statement described the operation as part of a broader pattern of hostile cyber campaigns threatening the Union’s security and stability. By framing the Czech case as a collective concern rather than a bilateral dispute, Brussels signaled that future intrusions against member governments could trigger coordinated political or economic consequences.
That warning gained additional substance in February 2026, when CERT-EU published a Cyber Brief referencing multiple China-linked campaigns across member states. The brief did not single out APT31 alone but placed the Czech case within a wider pattern of state-sponsored intrusions targeting European governments and their diplomatic infrastructure. By highlighting recurring techniques and overlapping attack infrastructure, CERT-EU effectively warned that the Czech incident was not isolated.
The Czech attribution also did not arrive in a vacuum. In March 2024, the U.S. Department of Justice unsealed indictments against seven individuals linked to APT31, accusing them of a 14-year hacking campaign targeting U.S. officials, dissidents, and companies. France’s cybersecurity agency, ANSSI, flagged APT31 activity targeting French organizations as early as 2021. Finland and the United Kingdom have also publicly linked APT31 to operations against their institutions. The Czech case adds another confirmed data point to what is now a multi-continent pattern of activity attributed to the same group.
The South American dimension: what is claimed and what is confirmed
Threat intelligence firms and secondary reporting have flagged activity consistent with Chinese state-sponsored operations targeting South American government networks. However, no South American government has issued a public attribution statement comparable to Prague’s. No specific country, agency, or incident in the region has been named in any on-the-record disclosure. Without an official declaration from a Latin American capital identifying APT31 or a related Chinese threat cluster, the scope of operations in that region cannot be confirmed to the same evidentiary standard as the European cases.
What makes the reporting worth monitoring, even without formal attribution, is the operational logic. South American nations maintain significant diplomatic and trade relationships with both China and Western governments, making their foreign ministries plausible intelligence targets for Beijing. Several countries in the region have also expanded cooperation with Chinese technology firms in telecommunications and infrastructure, creating potential access points that align with APT31’s known focus on diplomatic and policy networks.
Still, readers should treat the South American angle with considerably more caution than the European one. The gap between private-sector threat intelligence and formal government attribution is significant. Until a government in the region goes on the record with its own technical and diplomatic assessment, the claims remain unconfirmed.
What we still do not know
Neither NUKIB nor the Czech Ministry of Foreign Affairs has released indicators of compromise, malware samples, or a detailed intrusion timeline. Without that technical granularity, independent researchers cannot fully verify the attribution or determine whether the same tooling has appeared elsewhere. This is standard practice for government attributions, where protecting intelligence sources takes priority over public transparency, but it limits outside scrutiny.
Key operational questions remain open. It is unclear whether APT31 exploited an unpatched known vulnerability, a zero-day flaw, or stolen credentials to gain initial access. The duration of the intrusion before detection has not been disclosed, nor has the volume or type of data exfiltrated. Each of those details would help determine whether the operation was primarily about long-term strategic intelligence collection or something more targeted.
Beijing has not publicly acknowledged the accusations. China’s standard position on cyber-espionage allegations is categorical denial, and no substantive response to the Czech or EU statements has appeared as of June 2026. The absence of a Chinese counter-narrative leaves the diplomatic dimension one-sided in the public record.
Practical defenses for organizations in the diplomatic orbit
APT31’s documented focus on unclassified communications systems carries a practical lesson for any organization that interacts with European or South American diplomatic networks. Email servers, scheduling tools, and document-sharing platforms that support diplomatic work but sit outside formally classified environments often have weaker access controls, broader user bases, and more third-party connections. Those characteristics make them ideal entry points for long-term espionage.
The Czech case demonstrates that “unclassified” does not mean “unimportant.” Internal correspondence and policy drafts on these systems can reveal negotiating positions, personnel movements, and decision-making hierarchies that are enormously valuable to a foreign intelligence service. Strengthening multi-factor authentication, tightening access to shared resources, and actively monitoring for anomalous behavior on these systems is no longer an optional hardening measure. For organizations in the diplomatic orbit, it is a front-line defense against a threat group that has now been formally attributed by multiple Western governments.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
