The National Cyber and Information Security Agency of the Czech Republic (NÚKIB) has formally instructed organizations within the country’s critical infrastructure to cease using technology that transfers user data to servers located in the People’s Republic of China or its Special Administrative Regions, including Hong Kong and Macau1. This directive, issued on September 3, 2025, and assessed at a “High” risk level, is a response to confirmed cyber espionage campaigns and is part of a larger, coordinated international effort to counter pervasive Chinese state-sponsored threats2.
The warning extends beyond traditional IT infrastructure to include a wide array of consumer and industrial Internet of Things (IoT) devices. NÚKIB specifically highlighted smartphones, IP cameras, electric vehicles, large language models (LLMs), medical devices, and notably, photovoltaic (PV) inverters used in solar installations as potential vectors for data exfiltration or remote administration1. For entities operating under the Czech Cybersecurity Act, this warning carries a mandatory obligation to incorporate it into their risk analysis frameworks.
Legal Mandates and the Threat Landscape
The technical advisory from NÚKIB is grounded in an analysis of Chinese legal statutes that effectively remove the distinction between private companies and state intelligence apparatuses. The 2017 National Intelligence Law and the 2015 National Security Law mandate that Chinese organizations and citizens must “support, assist, and cooperate with the state intelligence work”3. This legal environment is a primary driver of the warning, as it compels any Chinese technology company to provide data access to state security services upon request.
Further compounding the risk are regulations like the 2021 Vulnerability Regulations, which require companies to report discovered software vulnerabilities to state authorities within two days, prohibiting disclosure to foreign entities3. The 2023 amendment to the Counter-Espionage Law expands the definition of espionage to include any documents or data deemed related to national security, granting authorities broad latitude. These laws also extend to Hong Kong under the 2024 Safeguard National Security Ordinance and Macau under its 2019 Cybersecurity Law, making data stored in these regions equally accessible.
Attribution to APT31 and the Salt Typhoon Campaign
This warning is not based on theoretical risks but on confirmed malicious activity. NÚKIB attributes a recent campaign against the Czech Ministry of Foreign Affairs to APT31, a group linked to China’s Ministry of State Security, with a “high degree of certainty”3. This incident aligns with a broader, sustained campaign exposed by a joint cybersecurity advisory from over twenty international agencies, including the U.S. CISA, NSA, FBI, and NÚKIB itself4.
The advisory, published on August 27, 2025, details a campaign by PRC state-sponsored actors to compromise global critical infrastructure networks since at least 2021. The activity is linked to three specific Chinese tech companies: Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co. Ltd., and Sichuan Zhixin Ruijie Network Technology Co. Ltd.4. This campaign, which overlaps with industry reporting on the group labeled **Salt Typhoon**, focuses on exploiting known vulnerabilities in network edge devices like routers and firewalls to establish long-term persistence, move laterally, and exfiltrate sensitive data including customer records and network authentication traffic.
Industry-Specific Risks: The Case of Photovoltaic Inverters
A particularly illustrative example of the embedded risk is found in the energy sector. NÚKIB’s warning specifically calls out Chinese-made photovoltaic (PV) inverters1. This concern is echoed in industry reports, which reference a 2025 U.S. finding of “rogue” communication devices embedded within these inverters, creating potential hidden channels for data transmission or remote access5. This highlights a shift in targeting towards operational technology (OT) and industrial control systems (ICS) that form the backbone of critical national infrastructure.
The compromise of such a device could provide a threat actor with a foothold within an energy provider’s network. From there, standard post-exploitation techniques could be employed. An attacker might perform credential dumping from memory to harvest privileged accounts, use living-off-the-land binaries (LOLBins) like `powershell` or `wmic` for lateral movement, and eventually establish a persistent command and control (C2) channel to exfiltrate operational data or, in a worst-case scenario, await commands for disruptive action.
International Coordination and Historical Precedent
The Czech warning is a single component of a significant multinational effort to expose and counter Chinese cyber threats. The joint advisory represents one of the largest coordinated actions of its kind4. This context is vital for understanding that the NÚKIB directive is not an isolated political statement but a technically-grounded action supported by a coalition of intelligence and security agencies.
This action also has a clear historical precedent. In 2018, NÚKIB issued a warning about the national security threat posed by telecommunications equipment from Huawei and ZTE6. This earlier warning led to the exclusion of these vendors from a Czech tax portal tender and set a policy foundation that the current warning builds upon. The consistency in NÚKIB’s assessment of the threat landscape over a seven-year period underscores the persistent nature of the risk.
Relevance and Recommended Actions
For security professionals, this advisory serves as a critical reminder to expand the scope of third-party risk assessments. The threat is not limited to directly procured Chinese technology but extends to any service or product in the supply chain that may incorporate such components. Organizations should initiate a thorough inventory of all hardware and software that communicates with external servers, with a specific focus on IoT and OT equipment.
Network segmentation is a primary mitigation strategy. Critical infrastructure networks should be logically separated from corporate IT networks, and industrial control systems should be placed in isolated zones with strict firewall rules governing inbound and outbound communications. Monitoring for anomalous outbound connections, especially to geographic regions identified in the advisory, is essential. Deep packet inspection can help identify data exfiltration attempts disguised within normal traffic.
Furthermore, asset management must include a software bill of materials (SBOM) for critical systems to understand all embedded components and their origins. For organizations using devices like PV inverters or medical IoT, it is recommended to physically block their internet access at the network perimeter if cloud-based functionality is not strictly necessary for core operations, instead relying on segmented local management networks.
The directive from the Czech National Cyber and Information Security Agency represents a significant escalation in the global response to state-sponsored cyber espionage. By moving beyond vague warnings to a specific, legally-mandated instruction for critical infrastructure, it provides a actionable framework for risk mitigation. The technical details underpinning this warning—from the exploitation of common vulnerabilities to the legal mandates that enable data access—provide a clear and present case study for security teams worldwide. This event underscores the necessity of robust supply chain security, comprehensive asset management, and defensive posturing that assumes a constant threat of sophisticated, state-aligned adversaries.
