Cyber Incident Victim: Czech Ministry of Defense
Date:
Jan 2016
Location:
Czechia
Summary
The Czech Ministry of Defense and other government networks were compromised by Russian-linked cyber-espionage groups Turla and APT28, which infiltrated email systems through brute-force attacks and spearphishing campaigns targeting military and diplomatic personnel. Attackers accessed sensitive communications, personal data, and non-classified information from multiple ministries, including Foreign Affairs and the Army, which could facilitate future illegitimate activities. The intrusions, attributed to Russia's FSB and GRU intelligence agencies, involved prolonged unauthorized access to high-level email accounts and the deployment of malware like X-Agent on defense infrastructure. Intelligence officials confirmed the breaches did not compromise classified material but exposed vulnerabilities in state institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between 2016 and 2017, the Czech Security Intelligence Service (BIS) identified two distinct cyber-espionage campaigns targeting government networks, attributed to Russian state-sponsored groups Turla and APT28 (Sofacy/Fancy Bear). The first campaign, linked to Turla, compromised the Ministry of Foreign Affairs (MFA) email system from at least January 2016, accessing over 150 staff mailboxes and copying emails with attachments. Attackers focused extensively on top ministry representatives' accounts, conducting repeated, long-term access over nearly a year before detection in early 2017. This breach provided hackers with target lists across key Czech state institutions. A separate December 2016 attack involved brute-force attempts against several hundred MFA mailboxes, though BIS did not definitively attribute this to a specific group. Concurrently, APT28 conducted spearphishing campaigns against Czech military personnel, particularly those in military diplomacy roles across Europe, and targeted European arms companies and a foreign border guard. This group compromised private email accounts of individuals associated with the Ministry of Defense and Army of the Czech Republic, alongside infiltrating a Ministry of Defense/Czech Army IP address using X-Agent malware.
BIS confirmed no classified information was exfiltrated in these incidents, though attackers acquired personal data and sensitive operational details usable for future attacks. The agency publicly attributed Turla to Russia’s FSB intelligence service and APT28 to GRU military intelligence, marking a strategic shift toward naming perpetrators. During 2017 investigations, BIS discovered and facilitated the remediation of an SQL injection vulnerability on an unnamed Czech ministry website. Additional defensive actions included disrupting a Hezbollah hacking operation in 2018, though this was unrelated to the Russian-linked campaigns. The MFA and defense sector breaches mirrored tactics observed in contemporaneous attacks against other European governments, particularly Turla’s targeting of foreign affairs entities documented in external cybersecurity reports. BIS emphasized the persistent focus on high-value diplomatic and military targets, with compromised data posing ongoing risks for follow-on operations against Czech institutional networks.