The European Union is "ready to impose costs" on China in response to the cyberattack launched against the Czech Republic, High Representative Kaja Kallas has warned.
"This attack is an unacceptable breach of international norms. The EU will not tolerate hostile cyber actions, and we stand in solidarity with the Czech Republic," the bloc's foreign policy chief said on Wednesday afternoon.
Her comments came shortly after Prague revealed that it had identified the People's Republic of China as the state "responsible for (a) malicious cyber campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs", which the country has classified as "critical infrastructure".
According to the ministry, the campaign began in 2022 and was perpetrated by the Advanced Persistent Threat Group 31 (APT31), a collective of intelligence officers and contract hackers widely suspected of gathering intelligence on behalf of Beijing.
APT31 has been linked to thousands of sophisticated, hard-to-track attacks aimed at compromising government agencies, military organisations and private companies. The group is associated with the Chinese Ministry of State Security.
"Such behaviour undermines the credibility of the People's Republic of China and contradicts its public declarations," the Czech Foreign Ministry said.
The condemnation was echoed in a statement released by Kallas on behalf of the 27 member states, where she stressed that Brussels had been "repeatedly" raising cyberattack concerns with Beijing since at least 2021.
"We call upon all states, including China, to refrain from such behaviour, to respect international law and to adhere to the UN norms and principles, including those related to critical infrastructure," Kallas said.
"In this context, we reiterate that states should not allow their territory to be used for malicious cyber activities."
Paying the price
In a subsequent press conference related to the Black Sea, the High Representative upped the ante and openly threatened to slap sanctions in retaliation.
"We are determined to counter malicious behaviours in cyberspace," she told reporters in Brussels. "These threats are very serious."
"We will raise them with our Chinese counterparts as well," she went on. "We definitely remain ready to impose costs for these kinds of attacks."
Kallas did not specify which sort of sanctions could be introduced, simply noting they would be designed on a "case-by-case" basis as the bloc did in the past. Under EU rules, approving sanctions requires the unanimity of all member states, a threshold that is often hard to meet due to disparate views and strategies inside the room.
The accusations come amid intense speculation about an impending diplomatic reset between the EU and China prompted by US President Donald Trump's disruptive policies, which have hit hard allies and adversaries alike.
Although Brussels has recently softened its tone to highlight potential areas of cooperation with Beijing, multiple friction points remain unaddressed, most notably the overcapacity of low-cost industrial goods and the "no-limits" partnership established between Chinese President Xi Jinping and Russian President Vladimir Putin.
Last month, Kallas described China as the "key enabler" of Russia's war on Ukraine for supplying about 80% of the dual-use goods prohibited by Western allies.
"Without Chinese support, Russia wouldn't be able to wage the war in the amount that they are waging it," the High Representative said.
Cyberwarfare, together with foreign information manipulations and interference (FIMI), has been another long-running dispute in bilateral relations, with alarm over Beijing's forceful attempts to sway elections, spread propaganda and influence public opinion.
In a statement, NATO Secretary General Mark Rutte said: "The malicious cyber activity targeting the Czech Republic underscores that cyberspace is contested at all times."
