Cyberwarfare / Nation-State Attacks , Forensics , Fraud Management & Cybercrime

Finland Says Chinese Hackers Responsible for 2020 Breach

Officials Offer Few Details on Incident, But Say It Was the Work of APT31
Finland Says Chinese Hackers Responsible for 2020 Breach
Finland's parliament building in Helsinki (Photo: Wikipedia)

Finland's Security and Intelligence Service now believes that a 2020 hacking incident that targeted the country's Parliament was the work of a China-linked advanced persistent threat group APT31, also known as Zirconium.

See Also: APAC Webinar | Mythbusting MDR

"Last year, the Security Police has identified a state cyberespionage operation against Parliament, which tried to infiltrate Parliament's information systems. According to intelligence from the Security Police, this was the so-called APT31 operation," the Finnish Security and Intelligence Service says in a translated statement.

The agency did not offer any details on how it concluded that APT31 was behind the incident. It noted that it had requested Finland's Transport and Communications Agency investigate the incident. This agency, which handles the nation's cybersecurity effort, has not responded to Information Security Media Group's request for additional information.

The Finnish Security and Intelligence Service says it has provided the Parliament's IT team with information enabling it to identify any follow-up attacks. The governing body also was instructed to improve its cybersecurity posture.

2020 Finnish Parliament Attack

The Finnish National Bureau of Investigation reported the original strike against the Finnish Parliament in early December 2020 and publicly announced it later that month, noting at the time that the incident likely began in the fall of 2020. The NBI said the attacker gained entry into the Finnish Parliament's network and accessed the email system, compromising accounts that belonged to Parliament members.

At the time, the police did not attribute the attack to any cybercriminal group or nation-state actor but said they believed the hack was an act of espionage (see: Finnish Officials Investigate Hack of Lawmakers' Email).

"The act is not accidental. At this stage, one alternative is that unknown [actors] have been able to obtain information through the hacking, either for the benefit of a foreign state or to harm Finland," said Tero Muurman, detective superintendent of Finland's National Bureau of Investigation.

The Finnish attack took place during the same time the Russian-linked APT28, or Fancy Bear, was being blamed by Norwegian officials for an attack during the summer of 2020 that compromised the email accounts of several Norwegian elected officials and government employees. In that case, the attacker used a brute-force technique to obtain email login credentials (see: Norway Says Russia-Linked APT28 Hacked Parliament).


Security firm FireEye says APT31, which it believes to be associated with China, targets multiple sectors, including government, international financial, aerospace and defense organizations. The group has also been known to hit high-tech, construction and engineering, telecommunications, media and insurance firms.

"APT31 is a China-nexus cyberespionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages," FireEye says.

APT31 usually exploits vulnerabilities in applications such as Java and Adobe Flash and then installs a range of malware such as the remote access Trojan Sogu, also known as PlugX, researchers say.

In October 2020, Google's Threat Analysis Group reported APT31 was conducting attacks centered on the U.S. presidential election and had targeted Joe Biden and Donald Trump campaign staffers with credential phishing emails that contained tracking links. Google also noticed APT31 attempting to deploy targeted malware campaigns during this period.

That same month, Zscaler's ThreatLabZ attributed to APT31 an August 2020 attack that deployed MSI binaries and used a COVID-19 social engineering ploy.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.