A large state-aligned hacking group has secretly infiltrated government and critical infrastructure networks across at least 37 countries, according to a detailed investigation by cybersecurity company Palo Alto Networks and its threat intelligence team Unit 42.
Researchers say the campaign lasted more than a year and compromised at least 70 organizations worldwide, including national law enforcement agencies, finance ministries, and even a national parliament. The company did not publicly attribute the attacks to a specific country, but described the attackers as operating from Asia.
What Was Compromised
The attackers focused on intelligence gathering rather than sabotage.
Investigators found they accessed sensitive information such as:
- Government emails and internal communications
- Financial and economic data
- Diplomatic negotiations
- Police and military operations
- Trade and natural resource information
In multiple cases, hackers stayed inside systems for months without detection.
Security researchers say this type of operation is known as cyber espionage. The goal is long term surveillance, not immediate disruption.
How the Hack Worked
The attackers relied on a combination of well known but effective methods:
- Spear phishing emails tailored to specific officials
- Exploiting unpatched software vulnerabilities
- Moving laterally inside networks after entry
- Accessing email servers to extract confidential data
Importantly, investigators found no evidence of advanced zero day exploits. Instead, the hackers abused existing security weaknesses that organizations failed to patch in time.
Timing Linked to Geopolitical Events
Researchers noticed the activity often coincided with politically sensitive events, suggesting intelligence gathering rather than random targeting.
Examples included:
- Government institutions in Europe monitored after diplomatic meetings involving the Dalai Lama
- Brazil’s Ministry of Mines and Energy targeted amid global competition for rare earth minerals
- Activity connected to trade agreements and diplomatic negotiations in several countries
This pattern indicates the attackers were collecting economic and strategic intelligence.
Global Reach
The campaign affected countries across multiple regions including Europe, Asia, and the Americas.
Investigators also observed reconnaissance scanning against infrastructure in 155 countries, meaning many more nations may have been future targets.
Security experts say the scale makes it one of the largest state-sponsored cyber-espionage campaigns since the SolarWinds incident.
Government Response
The United States Cybersecurity and Infrastructure Security Agency confirmed it is aware of the campaign and is working with international partners to reduce vulnerabilities.
Palo Alto Networks said it notified victims and shared defensive guidance with governments and industry partners.
Why This Matters
Cyber espionage has become a central tool in modern geopolitics. Instead of traditional spies, countries increasingly gather intelligence by quietly accessing digital communications.
Unlike ransomware attacks, these operations aim to remain hidden for as long as possible. That makes them harder to detect and potentially more damaging because diplomatic, economic, and security strategies can be exposed without victims realizing it.
Organizations are strongly advised to patch software regularly and train staff to identify targeted phishing messages, which remain the primary entry point for advanced attackers.
Sources
Palo Alto Networks Unit 42 report “Shadow Campaigns”
Bloomberg, Reuters, TechRepublic, The Record, Cybersecurity Dive, Axios, SC Media, Economic Times, The Register
