{ "id": "559d6748-da71-4f18-8b83-dbbd0e9cde52", "created_at": "2026-04-06T00:13:42.786003Z", "updated_at": "2026-04-10T03:37:22.737366Z", "deleted_at": null, "sha1_hash": "372f2b2afaec02f4b8eb5c0841a4457f711ab4e3", "title": "Finland confirms APT31 hackers behind 2021 parliament breach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2345615, "plain_text": "Finland confirms APT31 hackers behind 2021 parliament breach\r\nBy Sergiu Gatlan\r\nPublished: 2024-03-26 · Archived: 2026-04-05 21:36:32 UTC\r\nImage: Midjourney\r\nThe Finnish Police confirmed on Tuesday that the APT31 hacking group linked to the Chinese Ministry of State Security\r\n(MSS) was behind a breach of the country's parliament disclosed in March 2021.\r\nSince then, a joint criminal investigation with the Finnish Security and Intelligence Service and international partners has\r\nlooked into multiple suspected offenses, including aggravated espionage, violation of communication secrecy, and breaking\r\ninto the Finnish Parliament's information systems.\r\nThis investigation has exposed a \"complex criminal infrastructure,\" according to Detective Chief Inspector Aku Limnéll of\r\nthe National Bureau of Investigation.\r\n\"It is suspected that the offences were committed between autumn 2020 and early 2021. The police have previously\r\ninformed that they investigate the hacking group APT31's connections with the incident,\" said the Finnish Police.\r\nhttps://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"These connections have now been confirmed by the investigation, and the police have also identified one suspect.\"\r\nAs Finnish Parliament officials said three years ago, when describing the incident as a \"state cyber-espionage operation\"\r\nbelieved to be linked to \"the so-called APT31 operation,\" the attackers gained access to multiple parliament email accounts,\r\nincluding some belonging to Finnish MPs.\r\nAPT31 sanctions and charges\r\nOn Monday, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two APT31 operatives\r\n(Zhao Guangzong and Ni Gaobin) who worked as contractors for Wuhan XRZ, an OFAC-designated front company used by\r\nthe Chinese MSS as cover in U.S. critical infrastructure attacks.\r\nThe United Kingdom also sanctioned Wuhan XRZ and the two APT31 hackers for breaching the GCHQ intelligence agency,\r\ntargeting U.K. parliamentarians, and hacking into the country's Electoral Commission systems.\r\nThe same day, the U.S. Justice Department charged Zhao Guangzong, Ni Gaobin, and five other defendants (i.e., Weng\r\nMing, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang) for their involvement in Wuhan XRZ operations over a span\r\nof at least 14 years.\r\nThe State Department is now also offering rewards of up to $10 million for information on Wuhan XRZ and APT31 that\r\ncould help locate and/or apprehend any of the seven Chinese MSS hackers.\r\nIn July 2021, the U.S. and its allies, including NATO, the European Union, and the U.K., blamed the Chinese MSS-linked\r\nAPT40 and APT31 threat groups for an extensive Microsoft Exchange hacking campaign.\r\nAPT31 (aka Zirconium and Judgment Panda) is known for numerous information theft and espionage operations and its\r\ninvolvement in the theft and repurposing of the EpMe NSA exploit years before Shadow Brokers leaked it in April 2017.\r\nFour years ago, Microsoft observed APT31 attacks targeting high-profile individuals associated with Joe Biden's presidential\r\ncampaign. Around the same time, Google spotted them while targeting \"campaign staffers' personal email\" accounts with\r\ncredential phishing emails.\r\nhttps://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/\r\nhttps://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/" ], "report_names": [ "finland-confirms-apt31-hackers-behind-2021-parliament-breach" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434422, "ts_updated_at": 1775792242, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/372f2b2afaec02f4b8eb5c0841a4457f711ab4e3.pdf", "text": "https://archive.orkl.eu/372f2b2afaec02f4b8eb5c0841a4457f711ab4e3.txt", "img": "https://archive.orkl.eu/372f2b2afaec02f4b8eb5c0841a4457f711ab4e3.jpg" } }