Asia-based cyber-espionage campaign targets government and critical infrastructure across 37 countries

Researchers from Palo Alto Networks reveal a large-scale, prolonged cyber-espionage operation targeting governments and vital sectors in over 37 nations, with signs of geopolitical timing and sophisticated attack methods.

A sweeping cyber‑espionage campaign operating out of Asia has compromised computer systems belonging to governments and critical infrastructure organisations in more than 37 countries, according to researchers at Palo Alto Networks. The firm reported the intrusions affected at least 70 organisations, including five national law enforcement or border control agencies, three finance ministries, a national parliament and a senior elected official, and said the operation persisted for many months in some networks. According to the report, the intrusions targeted sectors involved in diplomacy, trade policy and strategic resources. (2,3,4)

Palo Alto’s Unit 42 said the attackers relied on highly tailored spear‑phishing and exploitation of known, unpatched vulnerabilities to establish footholds. “They use highly-targeted and tailored fake emails and known, unpatched security flaws to gain access to these networks,” said Pete Renals, director of national security programmes with Unit 42. Researchers observed a toolkit that combined phishing lures with custom malware, web shells, Linux rootkits and a range of tunnelling and proxy tools. (2,3,6)

The firm confirmed the threat actor successfully accessed and exfiltrated sensitive data from victim email servers, seizing diplomatic correspondence, financial negotiations and information linked to military and police operations. Industry investigators noted the campaign focused on harvesting communications and economic intelligence rather than destructive activity, with long dwell times that allowed steady collection of material. (4,6)

Several intrusions appear to have been timed to geopolitical events. Palo Alto’s report highlights a suspected compromise following the capture of Venezuelan leader Nicolás Maduro and reconnaissance on Czech government networks after President Petr Pavel met the Dalai Lama, while an incident against Brazil’s Ministry of Mines and Energy coincided with diplomatic engagement by U.S. officials on mining and rare earths. The firm said its findings showed alignment between targeting and state interests. (2,3,5)

Attribution remains contested. Palo Alto Networks declined to assign the campaign to a specific nation in its public report, yet the company and other analysts track the group as TGR‑STA‑1030 (also known in some reporting as UNC6619) and point to markers consistent with a state‑aligned operator based in Asia , language settings, preferred tooling, GMT+8 activity windows and target selection. Other commentators have compared the scale of the operation to major past intrusions, calling it one of the largest espionage efforts since the 2020 SolarWinds breach. (3,6)

U.S. federal cyber authorities have acknowledged the activity. The Cybersecurity and Infrastructure Security Agency said it was aware of the campaign and was coordinating with partners to prevent exploitation of the vulnerabilities identified. Nick Andersen, CISA’s executive assistant director for cybersecurity, told researchers the agency is working with affected organisations to mitigate risk. Representatives of other U.S. intelligence agencies declined to comment publicly. (2,4)

Palo Alto said it notified impacted organisations and offered incident response assistance, and unusually named some victims in its report to prompt defensive action across affected sectors. Security analysts warned that the group’s continued reconnaissance , observed against infrastructure in more than 150 countries during late 2025 , indicates the operation is expanding and that further targets may be scoped for future intrusion. (2,6)

The campaign underscores persistent risks for governments and companies that fail to prioritise patching and phishing defences, security experts said. Industry data show the attackers repeatedly exploited long‑standing vulnerabilities and relied on human‑targeted emails to bypass defences, reinforcing calls for accelerated vulnerability management, multi‑factor authentication and dedicated threat hunting in critical sectors. The researchers warned the group remains active and urged organisations handling diplomatic, trade and resource‑sensitive information to assume compromise and harden networks accordingly. (3,6)

Source Reference Map

Inspired by headline at: ^[1]

Sources by paragraph:

Source: Fuse Wire Services