APT31

The Czech government, supported by NUKIB and three Czech intelligence services, publicly attributed a cyber-espionage campaign targeting an unclassified network of the Ministry of Foreign Affairs — designated critical infrastructure — to APT31, linked to China's Ministry of State Security. The intrusion is assessed to have run since at least 2022. The Chinese Ambassador was summoned and the EU and NATO issued statements of solidarity calling on China to adhere to UN norms of responsible state behaviour in cyberspace.

The UK Foreign, Commonwealth and Development Office sanctioned Wuhan Xiaoruizhi Science and Technology Company Limited along with Zhao Guangzong and Ni Gaobin, attributing two campaigns to APT31: a 2021-2022 compromise of the UK Electoral Commission that the NCSC assessed as highly likely conducted by a China state-affiliated actor, and a 2021 reconnaissance campaign against UK parliamentarians — many members of the Inter-Parliamentary Alliance on China. The Chinese Ambassador was summoned and 16 partner governments expressed support.

OFAC designated Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ) — a Wuhan-based Ministry of State Security front company — along with Chinese nationals Zhao Guangzong and Ni Gaobin for their roles in APT31 cyber operations targeting US critical infrastructure. The designations were issued under Executive Order 13694, as amended, and were coordinated with a parallel UK sanctions package and a US Department of Justice indictment unsealed the same day in the Eastern District of New York charging seven APT31-affiliated nationals.

Federal prosecutors in the Eastern District of New York unsealed an indictment charging seven Chinese nationals — Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang, and Zhao Guangzong — with conspiracy to commit computer intrusions and wire fraud as members of APT31, a hacking group operated by the MSS Hubei State Security Department in Wuhan. The 14-year campaign targeted US and foreign government officials, political dissidents, journalists, IPAC parliamentarians, defense contractors, and companies in aerospace, defense, telecommunications, and other sectors.

Microsoft's Customer Security & Trust team reported that Zirconium — the Microsoft alias for APT31 — had launched thousands of attacks between March and September 2020, resulting in nearly 150 compromises. The China-based group indirectly targeted the Joe Biden for President campaign via non-campaign email accounts of affiliated individuals, as well as academics at more than 15 universities and 18 international affairs organizations including the Atlantic Council and Stimson Center, using web-beacon reconnaissance tied to attacker-controlled domains.