{ "id": "a0187b11-df90-4ed0-b1a8-1f7d6d2d536c", "created_at": "2026-04-06T00:15:33.798587Z", "updated_at": "2026-04-10T03:37:22.738766Z", "deleted_at": null, "sha1_hash": "2576b9bec1b4429368bbf195f66ff9a750c33c8f", "title": "Chinese nation state hackers linked to Finnish Parliament hack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 832579, "plain_text": "Chinese nation state hackers linked to Finnish Parliament hack\r\nBy Sergiu Gatlan\r\nPublished: 2021-03-18 · Archived: 2026-04-05 20:21:48 UTC\r\nChinese nation-state hackers have been linked to an attack on the Parliament of Finland that took place last year and led to\r\nthe compromise of some parliament email accounts.\r\n\"Some parliament e-mail accounts may have been compromised as a result of the attack, among them e-mail accounts that\r\nbelong to MPs,\" Parliament officials said at the time.\r\nThe attack was detected by the Finnish Parliament's security team and is being investigated by the Finnish National Bureau\r\nof Investigation (NBI), with the help of the Security Police and the Central Criminal Police.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Last year, the Security Police has identified a state cyber-espionage operation against Parliament, which tried to infiltrate\r\nParliament's information systems,\" a statement issued today reads. \"According to intelligence from the Security Police, this\r\nwas the so-called APT31 operation.\"\r\nCentral Criminal Police Commissioner Tero Muurman added that further details regarding the attack will not be disclosed\r\nwhile the investigation is still ongoing.\r\n\"When the investigated criminal offenses are aggravated espionage, aggravated computer break-in, and aggravated message\r\ninterception everyone understands how serious offenses we are dealing with,\" Parliament Speaker Anu Vehviläinen said.\r\nAPT31 espionage campaigns\r\nAPT31 (also tracked as Zirconium and Judgment Panda) is a China-backed hacking group known for its involvement in\r\nnumerous information theft and espionage operations, working at the behest of the Chinese Government.\r\nAs BleepingComputer previously reported, this APT group has also been linked to the theft and repurposing of the EpMe\r\nNSA exploit years before Shadow Brokers publicly leaked it in April 2017.\r\nLast year, Microsoft observed APT31 attacks against international affairs community leaders and high-profile individuals\r\nassociated with the Joe Biden for President campaign.\r\nAPT31 was also spotted by Google while targeting \"campaign staffers’ personal emails with credential phishing emails and\r\nemails containing tracking links.\"\r\nNorwegian, German Parliaments targeted in similar attacks\r\nIn August 2020, Norway disclosed a strikingly similar incident that led to the compromise of several email accounts\r\nbelonging to Norwegian Parliament representatives and employees.\r\nIn October, Norway's Minister of Foreign Affairs Ine Eriksen Søreide revealed that the August attack was coordinated by\r\nRussian state hackers who stole data from each of the hacked email accounts.\r\nThe Norwegian Police Security Service later revealed that the Russian state-sponsored APT28 hacking group was likely\r\nbehind the intrusion.\r\nThe same month, Council of the European Union announced sanctions against multiple APT28 members for their\r\ninvolvement in the 2015 attack of the German Federal Parliament (Deutscher Bundestag) and the hacking of several\r\nparliament members' email accounts.\r\nThe US Cyber Command also shared info on malware implants used by Russian hacking groups in attacks targeting several\r\nnational parliaments, ministries of foreign affairs, and embassies.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/" ], "report_names": [ "chinese-nation-state-hackers-linked-to-finnish-parliament-hack" ], "threat_actors": [ { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434533, "ts_updated_at": 1775792242, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2576b9bec1b4429368bbf195f66ff9a750c33c8f.pdf", "text": "https://archive.orkl.eu/2576b9bec1b4429368bbf195f66ff9a750c33c8f.txt", "img": "https://archive.orkl.eu/2576b9bec1b4429368bbf195f66ff9a750c33c8f.jpg" } }