Cyber Incident Victim: Ministry of Foreign Affairs of the Czech Republic
Date:
Jan 2016
Location:
Czechia
Summary
The Czech Ministry of Foreign Affairs and other government institutions were compromised by Russian-linked cyber-espionage groups Turla and APT28 through multiple campaigns. Attackers infiltrated over 150 staff mailboxes, primarily targeting senior officials, and exfiltrated emails with attachments over an extended period, remaining undetected for nearly a year. A separate brute-force attack attempted access to hundreds of additional accounts. While no classified information was stolen, adversaries acquired sensitive personal data and institutional target lists usable for future operations. The groups, associated with Russian intelligence services FSB and GRU, also targeted military personnel, defense-linked private accounts, and European arms companies via spearphishing, deploying malware like X-Agent on defense networks. Intelligence officials confirmed the incidents aligned with broader cyberespionage patterns against European states.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between 2016 and 2017, the Czech Security Intelligence Service (BIS) identified two distinct cyber-espionage campaigns targeting the Czech Ministry of Foreign Affairs (MFA), Ministry of Defense, and the Army of the Czech Republic. The first intrusion, attributed to Russian-linked groups Turla and APT28 (also known as Fancy Bear or Sofacy), compromised the MFA's electronic communication system beginning in early 2016. Attackers infiltrated over 150 staff mailboxes, systematically copying emails and attachments over an extended period. The breach remained undetected for nearly a year until BIS investigators discovered the compromise in early 2017. Intruders primarily targeted mailboxes of senior ministry officials, accessing them repeatedly and irregularly. This operation yielded extensive non-classified data, including sensitive personal information and comprehensive lists of potential targets across Czech state institutions. A separate attack occurred in December 2016 against the MFA, involving brute-force attempts to compromise several hundred additional mailboxes. BIS confirmed both campaigns aligned with concurrent cyber-espionage activities against other European governments.
APT28 conducted parallel operations against Czech military infrastructure during the same timeframe. The group executed spearphishing campaigns targeting military diplomats stationed across Europe and European arms manufacturers. These attacks compromised private email accounts of individuals affiliated with the Ministry of Defense and Czech Army, along with a Ministry of Defense IP address infected with X-Agent malware. While no classified material was exfiltrated, attackers acquired sensitive personal data usable for future operations. BIS publicly attributed both Turla and APT28 to Russian state actors—Turla to the FSB intelligence service and APT28 to GRU military intelligence—marking a policy shift toward explicit attribution. Concurrently, BIS identified and facilitated remediation of an SQL injection vulnerability in an unspecified Czech ministry's website during 2017. The intelligence service also disrupted a separate Hezbollah cyber operation unrelated to the Russian-linked incidents in 2018.