Cyber Incident Victim: Ministry of Foreign Affairs of the Republic of Cyprus
Date:
Dec 2018
Location:
Cyprus
Summary
A cyber campaign attributed to China's People's Liberation Army Strategic Support Force compromised the Ministry of Foreign Affairs of Cyprus as part of a broader operation targeting European Union diplomatic communications. Attackers used phishing techniques to infiltrate the Cypriot institution, subsequently accessing the EU's COREU network—a critical system for coordinating foreign policy among member states, intergovernmental bodies, and affiliated organizations. The breach enabled unauthorized access to sensitive diplomatic correspondence and extended to other entities including United Nations agencies, financial ministries, trade unions, and policy think tanks. Security researchers characterized the operation as a systematic effort exploiting common vulnerabilities rather than sophisticated technical methods, emphasizing phishing's continued prevalence in network intrusions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2018, Area 1 Security identified an ongoing cyber campaign targeting European diplomatic communications infrastructure, including the Ministry of Foreign Affairs of Cyprus. The campaign exploited phishing techniques to compromise email accounts and gain unauthorized access to the COREU network, a critical system facilitating foreign policy coordination among all 28 EU member states, the European Council, the European External Action Service, and the European Commission. Attackers specifically targeted Cyprus's foreign ministry as an entry point to infiltrate this broader diplomatic communications framework. Technical artifacts indicated the campaign also affected multiple intergovernmental organizations, finance ministries, trade unions, and policy think tanks beyond the EU network. Area 1 Security's sensors detected the malicious activity during routine operations, tracing the attack chain to infrastructure associated with China's People's Liberation Army Strategic Support Force (SSF).
The breach enabled unauthorized access to confidential diplomatic correspondence used for urgent foreign policy coordination across EU institutions. Area 1 Security investigators determined this campaign shared operational characteristics with previous attacks against the United Nations and the AFL-CIO labor union. Analysis revealed attackers systematically leveraged compromised credentials from initial phishing successes to move laterally through interconnected government networks. While the 2015 US-China agreement had curtailed cyber-espionage targeting private commercial entities, this incident demonstrated continued state-sponsored operations against governmental targets. The compromise highlighted systemic vulnerabilities in shared diplomatic communication platforms, particularly the risks posed by targeting smaller member states like Cyprus to access broader multinational networks. No specific remediation actions by affected governments were disclosed in the report, though Area 1 Security emphasized the routine nature of such phishing-based intrusions across global institutions.