Asian Cyber-Spy Group Compromises 37 Governments in Global Hacking Campaign
A significant Asian cyber-espionage group, operating with state alignment, has executed a large-scale global hacking campaign over the past year, successfully breaching the critical infrastructure of approximately 37 foreign governments. This extensive operation, detailed in a new report from cybersecurity firm Palo Alto Networks, has raised serious alarms within the international security community due to its sophisticated methods and broad impact.
Targets and Scale of the Espionage Operation
The primary targets of this hacking campaign were government departments and ministries, with a particular focus on sectors crucial to national interests, including trade, natural resources, border control, and diplomacy. The operation's reach extended to compromising one country's parliament and multiple national police organizations, demonstrating a strategic effort to infiltrate key state functions.
"Its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services," Palo Alto Networks stated in its comprehensive report published on Thursday. The firm emphasized that the scale of this campaign represents the largest cyber-espionage operation conducted by a state-aligned group since the notorious SolarWinds breach in 2020.
Motivation and Geographic Impact
According to Pete Renals, director of national security programs with Unit 42, Palo Alto Networks' threat intelligence division, espionage appears to have been the primary motivation behind these attacks. Hackers consistently sought access to sensitive email communications, aiming to gather intelligence that could influence geopolitical dynamics.
The hacking group, whose activities are referred to as "Shadow Campaigns," was first identified by Palo Alto Networks in early 2025 during investigations into phishing campaigns targeting European governments. Further analysis revealed that the group has been active since January 2024, originating from a state-aligned entity based in Asia. This conclusion was drawn from evidence such as language settings, regional tools, and the targeting of assets aligned with regional intelligence interests.
Among the nations impacted by this campaign are:
- Mexico
- Brazil
- Germany
- Italy
- India
- Indonesia
- Japan
- Mongolia
In total, the campaign compromised 70 state-aligned organizations, highlighting its extensive and coordinated nature.
Specific Incidents and Political Context
The hacking operations often correlated with specific geopolitical events. For instance, one campaign targeted the Czech Republic shortly after its president, Petr Pavel, met with the Dalai Lama—a figure condemned as a separatist by the Chinese government. Months later, after reports surfaced that President Pavel would attend the Dalai Lama's 90th birthday gala, another round of scanning targeted the president's website, indicating a persistent focus on this political relationship.
In Brazil, hackers targeted the Ministry of Mines and Energy, a move of particular significance given Brazil's status as a potential alternative source for rare earth minerals, as Asian companies tighten their global control over these critical resources. This targeting suggests strategic economic espionage aimed at influencing global supply chains.
Mexico saw two of its ministries affected, likely in connection with global trade agreements, while government infrastructure in Panama was also compromised. Notably, reconnaissance activity peaked on October 31, 2025, with connections observed to at least 200 IP addresses hosting Government of Honduras infrastructure, just days before the country's election—an election featuring candidates who favored returning to diplomatic relations with Taiwan.
European Focus and Broader Compromises
The group intensified its focus on European nations last year, with a concerted effort directed at Germany over the summer, resulting in nearly 500 IP addresses connected to government infrastructure being hit. Additionally, state entities in Cyprus, Greece, Poland, Portugal, and Serbia are believed to have been compromised by the "Shadow Campaigns."
U.S. Response and Security Measures
While the U.S. government was not directly affected by this campaign, the Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged awareness of the attacks. CISA is actively collaborating with international partners to identify and patch existing vulnerabilities, underscoring the global effort required to counter such sophisticated cyber threats. This proactive stance aims to bolster defenses and prevent similar breaches in the future, as the methods and scale of these operations continue to evolve.
