Finland Says Chinese Hackers Responsible for 2020 BreachOfficials Offer Few Details on Incident, But Say It Was the Work of APT31
Finland's Security and Intelligence Service now believes that a 2020 hacking incident that targeted the country's Parliament was the work of a China-linked advanced persistent threat group APT31, also known as Zirconium.
"Last year, the Security Police has identified a state cyberespionage operation against Parliament, which tried to infiltrate Parliament's information systems. According to intelligence from the Security Police, this was the so-called APT31 operation," the Finnish Security and Intelligence Service says in a translated statement.
The agency did not offer any details on how it concluded that APT31 was behind the incident. It noted that it had requested Finland's Transport and Communications Agency investigate the incident. This agency, which handles the nation's cybersecurity effort, has not responded to Information Security Media Group's request for additional information.
The Finnish Security and Intelligence Service says it has provided the Parliament's IT team with information enabling it to identify any follow-up attacks. The governing body also was instructed to improve its cybersecurity posture.
2020 Finnish Parliament Attack
The Finnish National Bureau of Investigation reported the original strike against the Finnish Parliament in early December 2020 and publicly announced it later that month, noting at the time that the incident likely began in the fall of 2020. The NBI said the attacker gained entry into the Finnish Parliament's network and accessed the email system, compromising accounts that belonged to Parliament members.
At the time, the police did not attribute the attack to any cybercriminal group or nation-state actor but said they believed the hack was an act of espionage (see: Finnish Officials Investigate Hack of Lawmakers' Email).
"The act is not accidental. At this stage, one alternative is that unknown [actors] have been able to obtain information through the hacking, either for the benefit of a foreign state or to harm Finland," said Tero Muurman, detective superintendent of Finland's National Bureau of Investigation.
The Finnish attack took place during the same time the Russian-linked APT28, or Fancy Bear, was being blamed by Norwegian officials for an attack during the summer of 2020 that compromised the email accounts of several Norwegian elected officials and government employees. In that case, the attacker used a brute-force technique to obtain email login credentials (see: Norway Says Russia-Linked APT28 Hacked Parliament).
Security firm FireEye says APT31, which it believes to be associated with China, targets multiple sectors, including government, international financial, aerospace and defense organizations. The group has also been known to hit high-tech, construction and engineering, telecommunications, media and insurance firms.
"APT31 is a China-nexus cyberespionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages," FireEye says.
APT31 usually exploits vulnerabilities in applications such as Java and Adobe Flash and then installs a range of malware such as the remote access Trojan Sogu, also known as PlugX, researchers say.
In October 2020, Google's Threat Analysis Group reported APT31 was conducting attacks centered on the U.S. presidential election and had targeted Joe Biden and Donald Trump campaign staffers with credential phishing emails that contained tracking links. Google also noticed APT31 attempting to deploy targeted malware campaigns during this period.
That same month, Zscaler's ThreatLabZ attributed to APT31 an August 2020 attack that deployed MSI binaries and used a COVID-19 social engineering ploy.