An Asian cyber-espionage group has spent the past year breaking into computer systems belonging to governments and critical infrastructure organizations in more than 37 countries, according to the cybersecurity firm Palo Alto Networks, Inc.
The state-aligned attackers have infiltrated networks of 70 organizations, including five national law enforcement and border control agencies, according to a new research report from the company. They have also breached three ministries of finance, one country’s parliament and a senior elected official in another, the report states. The Santa Clara, California-based firm declined to identify the hackers’ country of origin.
Related: Cyber Firm Says ‘Moltbook’ Social Media Site for AI Agents Had Big Security Hole
The spying operation was unusually vast and allowed the hackers to hoover up sensitive information in apparent coordination with geopolitical events, such as diplomatic missions, trade negotiations, political unrest and military actions, according to the report.
They used that access to spy on emails, financial dealings and communications about military and police operations, the report states. The hackers also stole information about diplomatic issues, lurking undetected in some systems for months.
“They use highly-targeted and tailored fake emails and known, unpatched security flaws to gain access to these networks,” said Pete Renals, director of national security programs with Unit 42, the threat intelligence division of Palo Alto Networks. “Espionage appears to be the main motivation behind these attacks as the actors frequently seek access to email communications and other sensitive data.”
Related: These Five Technologies Increase The Risk of Cyber Claims
The U.S. Cybersecurity and Infrastructure Security Agency said it was aware of the campaign. The agency is working with its partners to stop hackers from exploiting any of the vulnerabilities identified in the report, said Nick Andersen, CISA’s executive assistant director for cybersecurity.
Representatives of the FBI and CIA declined to comment. The NSA didn’t respond to a request for comment.
Palo Alto Networks researchers confirmed that the group successfully accessed and exfiltrated sensitive data from some victims’ email servers. The company said it notified the victims and offered them assistance. It also identified some of them in its report, an unusual step for a cybersecurity firm.
Some of the hackers’ actions coincided with issues and events of particular import to the government of China.
One suspected breach came the day after U.S. military and law enforcement captured the Venezuelan leader Nicolas Maduro.
As early as January 4, the hackers “likely compromised” a device associated with a facility operated by Venezolana de Industria Tecnológica, an organization founded as a joint venture between Venezuela’s government and an Asian tech firm, according to the report. Venezolana de Industria Tecnológica didn’t respond to an email seeking comment.
Another hacking campaign targeted government entities in the Czech Republic.
In July 2025, Czech President Petr Pavel met with the Dalai Lama. In the following weeks, the hackers conducted reconnaissance on Czech government targets including the Army, police, Parliament and Ministry of Foreign Affairs, according to the report.
The Czech cybersecurity agency, the National Cyber and Information Security Authority, didn’t respond to a request for comment on the report. The Chinese Embassy in Prague has previously rejected allegations about attacks against the Czech Republic as “unsubstantiated.”
The hacking group also compromised the Ministry of Mines and Energy of Brazil, a major supply base of rare earth mineral reserves, the cyber firm’s report said. In October, U.S. diplomats held meetings with mining executives in the country. The Ministry of Mines and Energy hasn’t identified any abnormal traffic or suspicious attempts to breach the Ministry’s systems, connections or digital platforms, a spokesperson said.
The hackers are also suspected of being active in Germany, Poland, Greece, Italy, Cyprus, Indonesia, Malaysia, Mongolia, Panama, Greece and other countries, according to the report.
The Chinese government recently prohibited companies in the country from using Palo Alto Networks’ products, along with security technology from more than a dozen other US and Israeli vendors, according to a government directive seen by Bloomberg News.
Top photo: Attendees watch a presentation at the Palo Alto Networks booth during the RSA Conference in San Francisco, California, on Wednesday, April 26, 2023. The RSA Conference brings together industry leaders in the world of cybersecurity at their annual event in San Francisco. Bloomberg.
Copyright 2026 Bloomberg.
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.
