Hackers hit sensitive targets like finance ministries in over 37 nations in vast spying plot

SAN FRANCISCO – A cyberespionage group has spent the past year breaking into computer systems belonging to governments and critical infrastructure organisations in more than 37 countries, according to cybersecurity firm Palo Alto Networks.

The state-aligned attackers have infiltrated the networks of 70 organisations, including five national law enforcement and border control agencies, according to a new research report from the company.

They have also breached three ministries of finance, one country’s Parliament and cybersecurity linked to a senior elected official in another, the report stated. The Santa Clara, California-based company declined to identify the hackers’ country of origin.

The spying operation was unusually vast and allowed the hackers to gather sensitive information in apparent coordination with geopolitical events, such as diplomatic missions, trade negotiations, political unrest and military actions, according to the report.

They used that access to spy on e-mails, financial dealings and communications about military and police operations, the report stated. The hackers also stole information about diplomatic issues, lurking undetected in some systems for months.

“They use highly targeted and tailored fake e-mails and known, unpatched security flaws to gain access to these networks,” said Mr Pete Renals, director of national security programmes with Unit 42, the threat intelligence division of Palo Alto Networks. “Espionage appears to be the main motivation behind these attacks as the actors frequently seek access to e-mail communications and other sensitive data.”

The US Cybersecurity and Infrastructure Security Agency (CISA) said it was aware of the campaign. The agency is working with its partners to stop hackers from exploiting any of the vulnerabilities identified in the report, said Mr Nick Andersen, CISA’s executive assistant director for cybersecurity.

Palo Alto Networks researchers confirmed that the group successfully accessed and exfiltrated sensitive data from some victims’ e-mail servers.

The company said it notified the victims and offered them assistance. It also identified some of them in its report, an unusual step for a cybersecurity company.

China link

Some of the hackers’ actions coincided with issues and events of particular import to the government of China.

One suspected breach came the day after US military and law enforcement

captured Venezuelan leader Nicolas Maduro.

As early as Jan 4, the hackers “likely compromised” a device associated with a facility operated by Venezolana de Industria Tecnologica, an organisation founded as a joint venture between Venezuela’s government and an Asian tech company, according to the report.

Another hacking campaign targeted government entities in the Czech Republic.

In July 2025, Czech President Petr Pavel met the Dalai Lama. In the following weeks, the hackers conducted reconnaissance on Czech government targets, including the army, the police, Parliament and Ministry of Foreign Affairs, according to the report.

The Chinese Embassy in Prague had previously rejected allegations about attacks against the Czech Republic as “unsubstantiated”.

The hacking group also compromised the Ministry of Mines and Energy of Brazil, a major supply base of rare earth mineral reserves, the cybercompany’s report said. In October, US diplomats held meetings with mining executives in the country. An official at the ministry with knowledge of the matter said it had not identified an attack.

The hackers are also suspected of being active in Germany, Poland, Greece, Italy, Cyprus, Indonesia, Malaysia, Mongolia, Panama and other countries, according to the report.

The Chinese government recently prohibited companies in the country from using Palo Alto Networks’ products, along with security technology from more than a dozen other US and Israeli vendors, according to a government directive seen by Bloomberg News. BLOOMBERG