Palo Alto Networks opted not to tie China to a global cyberespionage campaign the firm exposed last week over concerns that the cybersecurity company or its clients could face retaliation from Beijing, according to two people familiar with the matter.
The sources said that Palo Alto’s findings that China was tied to the sprawling hacking spree were dialed back following last month’s news, first reported by Reuters, that Palo Alto was one of about 15 U.S. and Israeli cybersecurity companies whose software had been banned by Chinese authorities on national security grounds.
A draft version of the report by Palo Alto’s Unit 42, the company’s threat intelligence arm, said that the prolific hackers – dubbed “TGR-STA-1030” in a report published on Thursday of last week – were connected to Beijing, the two people said. The finished report instead described the hacking group more vaguely as a “state-aligned group that operates out of Asia.”
Attributing sophisticated hacks is notoriously difficult and debates over how best to assign blame for digital intrusions are common among cybersecurity researchers. But Palo Alto has attributed hacks to China in the past, including as recently as this past September, and the sources told Reuters that Unit 42’s researchers were confident, based on a wealth of forensic clues, that the newly uncovered hacking campaign was tied to China too.
The change, the sources said, was ordered by Palo Alto executives because they were concerned by the software ban and feared drawing retaliation from Chinese authorities, either against the company’s personnel in China or its clients elsewhere.
The sources did not identify which executives made the decision to soften the report’s conclusions or provide the precise language that had been in the report ahead of the change. They spoke on condition of anonymity as they were not authorized to discuss the matter.
Asked to comment on the allegedly softened language, Palo Alto issued a statement to Reuters that said in part: “Attribution is irrelevant.”
Palo Alto’s vice president of global communications, Nicole Hockin, said in subsequent emails to Reuters that the statement was meant to communicate that the lack of attribution in Palo Alto’s report was not correlated with “procurement regulations in China” and that any suggestion otherwise was “speculative and false.” She said the choice of language in Palo Alto’s report reflected “how to best inform and protect governments about this widespread campaign.”
The Chinese Embassy in Washington said it opposes “all forms of cyberattacks.” It added that attributing hacks was “a complex technical issue” and that it hoped “relevant parties will adopt a professional and responsible attitude, basing their characterization of cyber incidents on sufficient evidence, rather than unfounded speculation and accusations.”
‘THE SHADOW CAMPAIGNS’
Palo Alto first detected the hacking group TGR-STA-1030 in early 2025, according to the report. In a wide-ranging effort that Palo Alto dubbed “The Shadow Campaigns,” the spies allegedly conducted reconnaissance against nearly every country in the world and successfully broke into government and critical infrastructure organizations in 37 countries.
Although China was not mentioned by name, close readers of Palo Alto’s report might still come away with the impression that Beijing was involved. For example, the researchers noted that the hackers’ activity aligned with the GMT+8 time zone, which includes China, and that the hackers appeared to focus on Czechia’s government infrastructure following an August meeting between Czechia’s president and the Dalai Lama, Tibet’s spiritual leader whom Beijing has long regarded as a thorn in its side. The report also noted that the hackers targeted Thailand on November 5 ahead of a diplomatic “visit.” The details of the trip were not provided in the report, but the following week marked a reigning Thai king’s first state visit to Beijing.
Outside researchers who reviewed Palo Alto’s report said they had seen similar activity that they attributed to Chinese state-sponsored espionage operations.
“Our assessment is that this is part of a broader pattern of global campaigns linked to China that seek intelligence and persistent internal access to organizations of interest to” Beijing, said Tom Hegel, a senior threat researcher with SentinelOne.
Palo Alto says on its website that it has five offices in China, including locations in Beijing, Shanghai and Guangzhou. The professional networking site LinkedIn lists more than 70 self-identified Palo Alto employees across China, including engineers and account managers.
One academic said the incident illustrates the trade-offs cybersecurity companies – especially ones with global footprints – often face when they consider whether to call out state-sponsored cyberespionage campaigns. On the one hand, exposing foreign spies can draw industry plaudits and positive publicity. On the other hand, tangling with a foreign intelligence service can trigger reprisals.
“People have always taken risks by naming names,” said Thomas Rid, a professor at Johns Hopkins University who has studied the history of cyber attribution. “It was always unpleasant and if you have people on the ground, like large companies do, that’s an additional consideration. Are you putting your own people – your local staff – at risk?”
Topics
Cyber
China
Interested in Cyber?
Get automatic alerts for this topic.
