Cyber Incident Victim: Czech Army
Date:
Jul 2025
Location:
Czechia
Summary
An Asian state‑aligned cyber‑espionage group conducted a year‑long campaign that breached government and critical‑infrastructure networks in over thirty‑seven countries, targeting entities such as law‑enforcement agencies, finance ministries, a parliament and senior officials. In the Czech Republic, the group performed reconnaissance on the Army, police, parliament and foreign‑ministry networks following a presidential meeting with the Dalai Lama, using tailored phishing emails and unpatched vulnerabilities to exfiltrate emails, financial and military communications. Palo Alto Networks identified the intrusions, notified the affected organizations and offered assistance, while U.S. agencies acknowledged the campaign and worked with partners to mitigate the exploited flaws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2025, Czech President Petr Pavel met with the Dalai Lama, an event that preceded a series of cyber‑espionage activities directed at Czech governmental institutions. According to the Palo Alto Networks Unit 42 report, in the weeks following that meeting the state‑aligned Asian hacking group conducted reconnaissance on multiple Czech government targets, specifically naming the Army, police, Parliament and the Ministry of Foreign Affairs as part of their surveillance effort. The reconnaissance phase involved gathering information about network structures, identifying potential entry points and monitoring communications related to military and police operations. The report does not detail any successful compromise of the Czech Army’s systems during this reconnaissance, but it notes that the group’s broader campaign included the use of highly‑targeted fake emails and exploitation of known, unpatched security flaws to gain access to victim networks. The attackers’ activities were timed to coincide with geopolitical events such as diplomatic missions and trade negotiations, suggesting an intent to collect sensitive information relevant to those developments.
Palo Alto Networks researchers confirmed that the group managed to access and exfiltrate sensitive data from the email servers of some victims, although the report does not specify which Czech institutions had their email compromised. Upon discovering the breaches, the firm notified the affected organizations and offered them assistance in remediation and further investigation. The US Cybersecurity and Infrastructure Security Agency acknowledged the campaign and stated that it was collaborating with international partners to prevent the hackers from exploiting the vulnerabilities outlined in the report. Representatives of the FBI and CIA declined to comment on the matter, and the NSA did not respond to a request for comment. The Czech National Cyber and Information Security Authority likewise did not provide a response to inquiries about the report, while the Chinese Embassy in Prague dismissed the allegations against the Czech Republic as unsubstantiated. The report also highlighted that the hacking group was suspected of operating in numerous other countries, including Germany, Poland, Greece, Italy, Cyprus, Indonesia, Malaysia, Mongolia, Panama and others, indicating a wide‑spanning espionage operation that intersected with the Czech reconnaissance activities.