Asian Cyber Espionage Campaign Breached 37 Countries

AndyC 7 February 2026

Image: DC_Studio (Envato)

A sprawling cyber espionage campaign linked to an Asian state-aligned hacking group has compromised government agencies and critical infrastructure in 37 countries.

Asian Cyber Espionage Campaign Breached 37 Countries

Asian Cyber Espionage Campaign Breached 37 Countries
Team of IT professionals getting a system notification access denied.
Image: DC_Studio (Envato)

A sprawling cyber espionage campaign linked to an Asian state-aligned hacking group has compromised government agencies and critical infrastructure in 37 countries.

Palo Alto Networks noted that the activity affected at least 70 organizations over the past year, including ministries responsible for trade, energy, finance, border control, and diplomacy. Security researchers say the scale and economic focus of the operation are striking, with attackers appearing to collect intelligence tied to rare earth minerals, trade negotiations, and geopolitical relationships.

The campaign underscores how state-backed cyber operations continue to expand quietly and pose long-term risks to governments and essential services worldwide.

A sweeping operation with global reach

According to Cybersecurity Dive, Palo Alto Networks said that the campaign was the most wide-reaching cyberespionage operation attributed to a single government hacking group since the 2020 SolarWinds breach.

The company tracked the activity as TGR-STA-1030 and described it as operating out of Asia, without naming a specific government.

“Its methods, targets, and scale of operations are alarming, with potential long-term consequences for national security and key services,” the report explained.

Axios noted that the attackers successfully breached five national law enforcement and border control agencies, three ministries of finance, and several other government agencies tied to diplomacy, trade, and natural resources.

Identified victims included the following:

  • Brazil’s Ministry of Mines and Energy
  • The parliament and army of the Czech Republic
  • A Mongolian police agency
  • An Indonesian government official
  • A Taiwanese power equipment supplier
  • National-level telecommunications companies

Peter Renals, principal security researcher in Palo Alto Networks’ Unit 42 threat intelligence team, told Axios that government agencies and critical infrastructure organizations in the US and UK weren’t affected.

Economic intelligence and geopolitical timing

Researchers said the timing of several intrusions strongly suggested an interest in economic and political intelligence, particularly around trade policy, rare earth minerals, and diplomatic relationships.

“They’re very much targeting and collecting and doing the espionage that they want, while staying right under that threshold of drawing too much attention,” Renals told Axios.

AOL also reported that in Honduras, hackers targeted hundreds of government IP addresses roughly a month before a presidential election in which candidates expressed interest in restoring diplomatic relations with Taiwan. In Mexico, malicious activity was detected against two ministers shortly after reports emerged about trade investigations tied to tariff proposals.

European governments were also heavily targeted. Palo Alto Networks said hackers increased reconnaissance against Czech government systems following a meeting between President Petr Pavel and the Dalai Lama.

“Weeks after the Czech Republic’s president met with the Dalai Lama, hackers began scanning the networks of the Czech military, the national police, the parliament, and multiple national government bureaus,” Cybersecurity Dive noted.

Separately, the group intensified its focus on Germany over the summer, targeting nearly 500 IP addresses connected to government infrastructure, according to reporting summarized by AOL.

Stealthy techniques and an ongoing threat

The attackers relied on phishing emails and exploitation of known software vulnerabilities to gain initial access, then moved laterally through compromised networks to maintain persistence.

Cybersecurity Drive said that the group has attempted to exploit vulnerabilities in Microsoft Exchange Server, SAP Solution Manager, and more than a dozen other products and services.

Researchers also identified a previously undocumented Linux kernel rootkit, dubbed ShadowGuard. This allowed attackers to hide malicious activity at the kernel level and evade detection by security tools.

Between November and December, the group scanned infrastructure in 155 countries, showing continued interest in future attacks. Palo Alto Networks said it notified affected governments and industry partners but warned the threat actor remains active.

Read TechRepublic’s coverage of the UK Foreign Office cyber breach to understand how the attack was disclosed and why it matters for government security.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

More Stories

Microsoft Starts Testing Built-In Sysmon Monitoring in Windows 11

Microsoft Starts Testing Built-In Sysmon Monitoring in Windows 11

AndyC 7 February 2026
U.S. Public Sector Under Siege

U.S. Public Sector Under Siege

AndyC 6 February 2026
Chrome Vulnerabilities Allow Code Execution, Browser Crashes

Chrome Vulnerabilities Allow Code Execution, Browser Crashes

AndyC 6 February 2026
Microsoft Overhauls Security Leadership as AI Expands Enterprise Attack Surface

Microsoft Overhauls Security Leadership as AI Expands Enterprise Attack Surface

AndyC 6 February 2026
Varonis Acquires AllTrue to Strengthen AI Security Capabilities

Varonis Acquires AllTrue to Strengthen AI Security Capabilities

AndyC 6 February 2026
European Officials Warn of Russian Satellites Intercepting Communications

European Officials Warn of Russian Satellites Intercepting Communications

AndyC 6 February 2026

You may have missed

This Week in Scams: Big Game Betting Scams and Fake Ticket Traps

AndyC 8 February 2026
CISA pushes Federal agencies to retire end-of-support edge devices

CISA pushes Federal agencies to retire end-of-support edge devices

AndyC 8 February 2026
German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists

German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists

AndyC 8 February 2026
Asian Cyber Espionage Campaign Breached 37 Countries

Asian Cyber Espionage Campaign Breached 37 Countries

AndyC 7 February 2026
Attackers Used AI to Breach an AWS Environment in 8 Minutes

Record-breaking 31.4 Tbps DDoS attack hits in November 2025, stopped by Cloudflare

AndyC 7 February 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.