Skip to content

Supo identifies China-linked cyber-spying agent in Finnish Parliament hack

The National Bureau of Investigation believes the motive was to obtain information for the benefit of a foreign state.

According to Supo intelligence the APT31 cyber espionage operation tried to infiltrate Parliament's IT systems. Image: Silja Viitala / Yle

The Finnish Security and Intelligence Service (Supo) has identified a cyber espionage operation as being behind a cyber-attack on Finland’s Parliament last autumn. Some data security firms have linked the operation to the Chinese state.

In a press release on Thursday, the agency said that 2020 was a year of "exceptionally intensive cyber espionage operations both in Finland and elsewhere in Europe", which included the attempt to infiltrate Parliament’s IT systems.

The National Bureau of Investigation (NBI) said at the time that the attack was detected by the legislature’s internal technical surveillance and the security of a number of parliamentary email accounts was compromised, some of which belonged to MPs.

The NBI announced via a press release on Thursday that the matter is being investigated as a suspected aggravated computer break-in, aggravated espionage, and aggravated message interception.

In its own statement, Supo said that the state cyber espionage operation APT31 was responsible for the attack.

APT31 has previously been linked to China’s state cyber operations, for example by security companies such as Checkpoint (siirryt toiseen palveluun) (external link) and FireEye (siirryt toiseen palveluun) (external link).

The NBI added that some indications of possible perpetrators were discovered during the analysis of material collected during the criminal investigation.

"We are investigating links to the APT31 group, but we will not disclose any details about the facts discovered as the criminal investigation is ongoing," Detective Superintendent Tero Muurman of the NBI said. "The motive is under investigation. We have not excluded the possibility that the purpose of the attack was to gather intelligence to benefit a foreign state or to harm Finland's interests."

Speaker of Parliament Anu Vehviläinen (Cen) said on Thursday that she considered it important that such a serious attack on Parliament had been traced.

"When the suspected crimes in an investigation are aggravated espionage, aggravated burglary, and aggravated breach of confidentiality, everyone understands how serious the matter is. Such activities are always an attack on our democracy and on Finnish society," Vehviläinen said.

Breach triggered extensive investigation

When a possible data breach was first suspected, Supo provided information to Parliament, on the basis of which the Parliament's IT administration could identify possible further hacking attempts.

Parliament acted in accordance with the instructions it received and further strengthened its information security, Supo said.

Supo also provided information to the National Cyber Security Centre Finland (NCSC-FI) so that it could improve its own monitoring capabilities.

When Parliament's own technical report revealed that the IT systems had been breached, Supo assessed that the constituent elements of an aggravated offence were met and reported the case to the NBI.