The Finnish Police, known as Poliisi, has officially implicated a state-sponsored actor from China, identified as APT31, in the cyber attack aimed at the Finnish Parliament that took place between late 2020 and early 2021. This development follows a lengthy and complex investigation involving in-depth analysis of the sophisticated criminal infrastructure that was employed in the attack.
The breach was initially reported in December 2020, when the Finnish Security and Intelligence Service (Supo) characterized it as a state-sponsored cyber espionage effort specifically targeting Parliament’s information systems. The ongoing criminal investigation has revealed verified connections between APT31 and the assault, with officials confirming they have identified at least one suspect linked to the incident.
APT31, also referred to as various aliases such as Altaire and Judgement Panda, is a Chinese state-affiliated hacking group that has been active since at least 2010. The group has been previously linked to broad cyber espionage campaigns, and both the United Kingdom and the United States have recently attributed significant cyber operations against businesses and political entities to APT31.
In recent legal actions in the U.S., seven individuals associated with APT31 have been charged for their involvement in extensive hacking activities. Among those charged, Ni Gaobin and Zhao Guangzong have faced sanctions from both the U.S. and U.K. governments for their alleged roles, while the Chinese company Wuhan XRZ has also been implicated as a front company for these operations.
In a notable case described by the U.S. Treasury, Zhao Guangzong carried out numerous malicious actions, while Ni Gaobin allegedly supported many of these high-profile cyber operations. The investigation underscores the ongoing risks to critical infrastructure posed by advanced persistent threat groups like APT31, who leverage various tactics and open vulnerabilities to facilitate their operations.
In July 2021, APT31 was directly linked to the exploitation of zero-day vulnerabilities in Microsoft Exchange servers, an attack aimed at acquiring sensitive personally identifiable information and intellectual property from victims. Such tactics align with the MITRE ATT&CK framework, where methods like initial access, privilege escalation, and data exfiltration are commonly associated with advanced state-sponsored attacks.
In response to these allegations, China’s government has rejected claims of its involvement in cyber attacks against Western nations, suggesting that the accusations are merely disinformation disseminated by the Five Eyes intelligence alliance. Chinese officials have urged the U.S. and U.K. to cease politicizing cybersecurity and to refrain from imposing unilateral sanctions.
This incident highlights the ongoing and evolving threat landscape that organizations face internationally, especially from state-sponsored actors engaging in sophisticated cyber operations. The ramifications of such state-backed cyber activities necessitate vigilance and proactive measures from business owners, particularly those overseeing sensitive data or critical infrastructure.
