CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Czech Republic Warns of Data Exfiltration to China via Local Products and Services

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about the transfer of system and user data to the People's Republic of China (PRC) via certain products and services. The advisory highlights the risk of data misuse by state, military, or political interests. This warning follows previous accusations of Chinese cyberattacks on Czech critical infrastructure and broader concerns about Chinese cyber activities. The advisory emphasizes the legal framework in China that compels companies to share data with the state, raising concerns about national security and resilience. Experts note that China's data collection strategies are extensive and varied, often involving private entities that are effectively controlled by the state. NUKIB has reassessed the risk of significant disruptions caused by China, now rating it as 'High'. The agency confirms malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Czech Cybersecurity Act requires critical infrastructure entities to adopt security measures to mitigate risks associated with Chinese technology.

Timeline

  1. 07.09.2025 17:09 πŸ“° 1 articles Β· ⏱ 9d ago

    NUKIB confirms APT31 campaign targeting Czech Ministry of Foreign Affairs

    NUKIB confirms malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs.

    Show sources
    Open in new tab
  2. 04.09.2025 23:04 πŸ“° 2 articles Β· ⏱ 12d ago

    Czech Republic Warns of Data Exfiltration to China via Local Products and Services

    NUKIB has reassessed the risk of significant disruptions caused by China, now rating it as 'High'. The agency confirms malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Czech Cybersecurity Act requires critical infrastructure entities to adopt security measures to mitigate risks associated with Chinese technology. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and medical devices manufactured by Chinese firms. The warning is not legally binding for the general public, but NUKIB recommends evaluating the products used by Czech nationals.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Espionage campaign targets Eastern Asia using hijacked Sogou Zhuyin update server

An espionage campaign, codenamed TAOTH, has been targeting users in Eastern Asia since June 2025. The attackers hijacked an abandoned update server for the Sogou Zhuyin input method editor (IME) software to distribute multiple malware families, including C6DOOR and GTELAM. The campaign primarily targets dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. The attackers took control of the lapsed domain name associated with Sogou Zhuyin in October 2024 and used it to disseminate malicious payloads. The malware families deployed serve various purposes, including remote access, information theft, and backdoor functionality. The attack chain begins with users downloading the official installer for Sogou Zhuyin, which triggers a malicious update process. The campaign has impacted several hundred victims, with Taiwan accounting for 49% of all targets. The attackers also leveraged third-party cloud services to conceal their network activities.

Open in new tab

Chinese State-Sponsored Actors Targeting Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

Open in new tab

Threat Actors Exploit VPS Infrastructure for SaaS Account Compromises

Threat actors, including the China-linked APT41 group, are exploiting commercial virtual private server (VPS) infrastructure to quickly and stealthily set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments and in targeted cyber espionage campaigns against U.S. trade officials. The abuse of VPS services allows attackers to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate behavior. The attacks involved brute-force attempts, anomalous logins, phishing campaign-related inbox rule creation, and impersonation tactics. In notable incidents, attackers successfully compromised accounts by exploiting VPS services from providers such as Hyonix, Host Universal, Mevspace, and Hivelocity. The attackers deleted phishing emails and created obfuscated email rules to conceal their activities. The use of VPS infrastructure enables attackers to rapidly deploy infrastructure, making it difficult for defenders to track and respond to threats. The impersonation of U.S. Rep. John Moolenaar was part of a larger espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers.

Open in new tab

Crypto24 Ransomware Bypasses EDR Solutions in Targeted Attacks

Crypto24 ransomware actors are using advanced evasion techniques and custom tools to disable endpoint detection and response (EDR) solutions, including Trend Micro's Vision One platform. These attacks target large enterprises across financial services, manufacturing, entertainment, and tech industries in Asia, Europe, and the US. The threat actors leverage legitimate tools and custom variants of RealBlindingEDR to neutralize security controls and maintain persistence. The attacks demonstrate significant technical expertise and strategic planning, posing a considerable risk to enterprise security. Organizations are advised to strengthen access controls, implement anti-tampering measures, and regularly audit privileged accounts to mitigate the threat.

Open in new tab