Palo Alto Networks softened language linking China to a global cyberespionage campaign amid fears of retaliation
US cybersecurity major Palo Alto Networks diluted references to China in a recent report on a sweeping global cyberespionage campaign, amid concerns about potential retaliation from Beijing, Reuters reported on Thursday, citing people familiar with the matter.
The company’s threat intelligence division, Unit 42, last week published findings on a hacking cluster it tracks as “TGR-STA-1030.” While an earlier draft of the report allegedly linked the activity to Beijing, the final public version described the perpetrators more cautiously as a “state-aligned group that operates out of Asia,” Reuters reported.
The report said that the language was softened following news last month that Chinese authorities had banned software from around 15 US and Israeli cybersecurity firms, including Palo Alto, on national security grounds. The concern, the report said, was that explicitly naming China could expose the company, its employees, or its global clients to retaliatory action.
Palo Alto declined to directly address whether the report’s language had been revised. In a statement to Reuters, the company said: “Attribution is irrelevant.” Nicole Hockin, the firm’s vice president of global communications, later clarified that the absence of explicit attribution was not connected to Chinese procurement restrictions and called suggestions to the contrary “speculative and false.” She said the wording was chosen to best inform and protect governments about the campaign.
‘The Shadow Campaigns’
Unit 42 said it first identified the group in early 2025 and described the broader operation as “The Shadow Campaigns.” According to the report, the hackers conducted reconnaissance across nearly every country and successfully infiltrated government and critical infrastructure entities in 37 nations.
Although China was not named, the report included details that some analysts view as suggestive. The researchers noted that the attackers’ operational activity aligned with the GMT+8 time zone, which includes China. They also observed that Czech government infrastructure was targeted following an August meeting between the Czech president and the Dalai Lama—a figure Beijing considers politically sensitive. Thailand was reportedly targeted ahead of a diplomatic visit in November, which coincided with the Thai monarch’s first state visit to Beijing the following week.
External cybersecurity researchers reviewing the findings told Reuters they had observed similar activity patterns previously attributed to Chinese state-backed espionage campaigns. Tom Hegel, senior threat researcher at SentinelOne, said his assessment aligned the campaign with broader operations linked to Beijing seeking persistent intelligence access.
The Chinese Embassy in Washington told Reuters that China opposes all forms of cyberattacks and described cyber attribution as a “complex technical issue,” urging parties to base assessments on sufficient evidence rather than speculation.
End of Article
Leave a Reply