An Asian cyber-espionage group has spent the past year breaking into computer systems belonging to governments and critical infrastructure organizations in more than 37 countries, according to the cybersecurity firm Palo Alto Networks, Inc.
The state-aligned attackers have infiltrated networks of 70 organizations, including five national law enforcement and border control agencies, according to a new research report from the company.They have also breached three ministries of finance, one country’s parliament and a senior elected official in another, the report states. The Santa Clara, California-based firm declined to identify the hackers’ country of origin.
The spying operation was unusually vast and allowed the hackers to hoover up sensitive information in apparent coordination with geopolitical events, such as diplomatic missions, trade negotiations, political unrest and military actions, according to the report.
They used that access to spy on emails, financial dealings and communications about military and police operations, the report states. The hackers also stole information about diplomatic issues, lurking undetected in some systems for months.
“They use highly-targeted and tailored fake emails and known, unpatched security flaws to gain access to these networks,” said Pete Renals, director of national security programs with Unit 42, the threat intelligence division of Palo Alto Networks. “Espionage appears to be the main motivation behind these attacks as the actors frequently seek access to email communications and other sensitive data.”
The US Cybersecurity and Infrastructure Security Agency said it was aware of the campaign. The agency is working with its partners to stop hackers from exploiting any of the vulnerabilities identified in the report, said Nick Andersen, CISA’s executive assistant director for cybersecurity.
Representatives of the FBI and CIA declined to comment. The NSA didn’t respond to a request for comment.
Palo Alto Networks researchers confirmed that the group successfully accessed and exfiltrated sensitive data from some victims’ email servers. The company said it notified the victims and offered them assistance. It also identified some of them in its report, an unusual step for a cybersecurity firm.
Some of the hackers’ actions coincided with issues and events of particular import to the government of China.
One suspected breach came the day after US military and law enforcement captured the Venezuelan leader Nicolas Maduro.
As early as January 4, the hackers “likely compromised” a device associated with a facility operated by Venezolana de Industria Tecnológica, an organization founded as a joint venture between Venezuela’s government and an Asian tech firm, according to the report. Venezolana de Industria Tecnológica didn’t respond to an email seeking comment.
Another hacking campaign targeted government entities in the Czech Republic.
In July 2025, Czech President Petr Pavel met with the Dalai Lama. In the following weeks, the hackers conducted reconnaissance on Czech government targets including the Army, police, Parliament and Ministry of Foreign Affairs, according to the report.
The Czech cybersecurity agency, the National Cyber and Information Security Authority, didn’t respond to a request for comment on the report. The Chinese Embassy in Prague has previously rejected allegations about attacks against the Czech Republic as “unsubstantiated.”
The hacking group also compromised the Ministry of Mines and Energy of Brazil, a major supply base of rare earth mineral reserves, the cyber firm’s report said. In October, US diplomats held meetings with mining executives in the country. An official at the ministry with knowledge of the matter said it hadn’t identified an attack.
The hackers are also suspected of being active in Germany, Poland, Greece, Italy, Cyprus, Indonesia, Malaysia, Mongolia, Panama, Greece and other countries, according to the report.
The Chinese government recently prohibited companies in the country from using Palo Alto Networks’ products, along with security technology from more than a dozen other US and Israeli vendors, according to a government directive seen by Bloomberg News.
Photograph: Attendees watch a presentation at the Palo Alto Networks booth during the RSA Conference in San Francisco, California, on Wednesday, April 26, 2023. Photo credit: David Paul Morris/Bloomberg
Copyright 2026 Bloomberg.
Topics
Cyber
Interested in Cyber?
Get automatic alerts for this topic.
