Hackers breach 37 countries in ongoing espionage campaign

• The newly identified group successfully broke into five national law enforcement and border control entities, three ministries of finance, and several other government agencies focused on diplomacy, trade and natural resources.
• Among those compromised, per the report: Brazil's Ministry of Mines and Energy, the Czech Republic's parliament and army, an Indonesian government official and a Taiwanese power equipment supplier.

The intrigue: Palo Alto Networks stopped short of accusing any specific government, instead attributing the campaign to "a state-aligned group that operates out of Asia."

• The apparent strategic interests and some of the targets are similar to past Chinese government attacks.

The big picture: The hacking group — which Palo Alto Networks calls TGR-STA-1030 — relied on both traditional phishing emails and exploiting known vulnerabilities to break into organizations.

• Affected countries include Bolivia, Brazil, Mexico, Panama, Venezuela, Cyprus, Greece, Indonesia, Malaysia, Mongolia, Taiwan, Thailand, the Democratic Republic of the Congo, Djibouti and Zambia.
• Government agencies and critical infrastructure organizations based in the U.S. and U.K. weren't affected, Peter Renals, principal security researcher in Palo Alto Networks' Unit 42 threat intelligence team, told Axios.
• "They're very much targeting and collecting and doing the espionage that they want, while staying right under that threshold of drawing too much attention," Renals said.

Threat level: Palo Alto Networks observed the group scanning for vulnerabilities in infrastructure across 155 countries between November and December — indicating interest in future attacks.

• Once inside these organizations, hackers leveraged their access to move laterally throughout a system and create ways to keep returning to the compromised network over time.
• Researchers also identified a previously undocumented Linux kernel rootkit that allows attackers to hide processes and files at the kernel level, making detection far more difficult.
• The report warned that the group's "methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services."

Zoom in: Unit 42 researchers said the timing of the intrusions suggests the campaign was focused on economic intelligence — particularly mining, rare earths, trade policy and diplomacy.

• Days after the U.S. operation that captured Venezuelan leader Nicolás Maduro, the threat actors were spotted conducting "extensive reconnaissance activities targeting at least 140 government-owned IP addresses," per the report.
• Shortly after Mexico News Daily reported on China initiating a trade investigation into Mexico's proposed plans to raise tariffs, researchers detected malicious traffic targeting two of Mexico's ministries.
• One month before the 2025 Honduran national elections, researchers observed the hackers targeting the government's infrastructure. Notably, both presidential candidates had expressed interest in restoring diplomatic relations with Taiwan.
• Weeks after Czech President Petr Pavel met with the Dalai Lama, the hackers also snooped around Czech government infrastructure tied to the country's army, police, parliament and ministries of interior, finance and foreign affairs.

What to watch: Palo Alto Networks has been in contact with the 37 affected countries and industry partners, but the company warned that the group is still active.

• In November, researchers saw the group scanning for weak points to break into Australia's Treasury Department, Afghanistan's Ministry of Finance and Nepal's Office of the Prime Minister, among others.

Go deeper: Chinese phishers impersonate U.S. policy briefings