Cyber Incident Victim: Czech Police
Date:
Jul 2025
Location:
Czechia
Summary
An Asian cyber‑espionage group compromised government and critical‑infrastructure networks in more than thirty‑seven countries, breaking into seventy organisations that included five national law‑enforcement and border‑control agencies, three finance ministries, a parliament and a senior elected official. The attackers used tailored phishing emails and unpatched software flaws to gain access, then exfiltrated email correspondence, financial records, military and police communications and diplomatic material. After a meeting between the Czech president and the Dalai Lama, the group conducted reconnaissance on Czech government targets such as the army, Czech police, parliament and foreign‑affairs ministry, and also breached Brazil’s ministry of mines and energy. Victims were notified by the security firm that discovered the campaign and offered assistance.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2025, Czech President Petr Pavel met with the Dalai Lama. Following that meeting, according to a Palo Alto Networks report, hackers linked to an Asian cyber‑espionage group began conducting reconnaissance on Czech government targets, specifically naming the Army, police, Parliament and the Ministry of Foreign Affairs. The report places this activity within a broader campaign that over the previous year had targeted government and critical‑infrastructure networks in more than 37 countries, compromising the systems of about seventy organisations, including five national law‑enforcement and border‑control agencies. The Czech operation was described as part of the group’s pattern of aligning intrusions with geopolitical events.
The attackers used highly‑targeted, tailored phishing emails and exploited known, unpatched security flaws to gain initial access to the networks they probed. Once inside, the report states, they used that access to spy on email communications, financial dealings and discussions about military and police operations, and they collected information on diplomatic matters. The intruders remained undetected in some compromised systems for months, allowing them to exfiltrate sensitive data from email servers of various victims. Palo Alto Networks researchers confirmed the successful access and data exfiltration, notified the affected organisations and offered them assistance, and identified some of the victims in the published report—an atypical step for a security firm.
The United States Cybersecurity and Infrastructure Security Agency said it was aware of the campaign and was working with partners to block exploitation of the vulnerabilities highlighted in the report. Representatives of the FBI and CIA declined to comment on the findings, and the NSA did not respond to a request for comment. The Czech National Cyber and Information Security Authority did not reply to a request for comment on the report, while the Chinese Embassy in Prague dismissed allegations of attacks against the Czech Republic as unsubstantiated. The report also noted that the same group had been observed conducting activity in Germany, Poland, Greece, Italy, Cyprus, Indonesia, Malaysia, Mongolia, Panama and other countries.