**Hackers Hit Sensitive Targets in 37 Nations in Vast Spying Plot**

The cyber-espionage group, believed to be based in Asia, has been quietly infiltrating computer systems belonging to governments and critical infrastructure organizations across the globe for over a year, according to a new research report from Palo Alto Networks, Inc.

According to the report, the state-aligned attackers have compromised networks of 70 organizations, including five national law enforcement and border control agencies. They have also breached three ministries of finance, one country's parliament, and a senior elected official in another. The hackers' targets span across more than 37 countries, leaving a trail of sensitive information in their wake.

The spying operation was unusually vast and sophisticated, allowing the hackers to gather sensitive data in apparent coordination with geopolitical events, such as diplomatic missions, trade negotiations, political unrest, and military actions. They used this access to spy on emails, financial dealings, and communications about military and police operations, according to the report.

"They use highly-targeted and tailored fake emails and known, unpatched security flaws to gain access to these networks," said Pete Renals, director of national security programs with Unit 42, the threat intelligence division of Palo Alto Networks. "Espionage appears to be the main motivation behind these attacks as the actors frequently seek access to email communications and other sensitive data."

The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that they are aware of the campaign and are working with their partners to stop hackers from exploiting any of the vulnerabilities identified in the report. The agency's executive assistant director for cybersecurity, Nick Andersen, said, "We take these threats seriously and will continue to work with our international partners to protect against them."

Representatives of the FBI and CIA declined to comment on the matter. The NSA did not respond to a request for information.

The hackers' actions have coincided with issues and events of particular importance to the government of China. One suspected breach came just a day after US military and law enforcement captured Venezuelan leader Nicolas Maduro. As early as January 4, the hackers "likely compromised" a device associated with a facility operated by Venezolana de Industria Tecnológica, an organization founded as a joint venture between Venezuela's government and an Asian tech firm.

Venezolana de Industria Tecnológica did not respond to an email seeking comment. Another hacking campaign targeted government entities in the Czech Republic. In July 2025, Czech President Petr Pavel met with the Dalai Lama. In the following weeks, the hackers conducted reconnaissance on Czech government targets, including the Army, police, Parliament, and Ministry of Foreign Affairs.

A spokesperson for the Czech cybersecurity agency, the National Cyber and Information Security Authority, said that such reconnaissance activity is common and doesn't automatically mean that hackers breached a system. The Chinese Embassy in Prague has previously rejected allegations about attacks against the Czech Republic as "unsubstantiated."

The hacking group also compromised the Ministry of Mines and Energy of Brazil, a major supply base of rare earth mineral reserves, according to the cyber firm's report. In October, US diplomats held meetings with mining executives in the country. The Ministry of Mines and Energy hasn't identified any abnormal traffic or suspicious attempts to breach the Ministry's systems, connections, or digital platforms.

The hackers are also suspected of being active in Germany, Poland, Greece, Italy, Cyprus, Indonesia, Malaysia, Mongolia, Panama, and other countries, according to the report. The Chinese government recently prohibited companies in the country from using Palo Alto Networks' products, along with security technology from more than a dozen other US and Israeli vendors, according to a government directive seen by Bloomberg News.

Palo Alto Networks researchers confirmed that the group successfully accessed and exfiltrated sensitive data from some victims' email servers. The company notified the victims and offered them assistance, also identifying some of them in its report, an unusual step for a cybersecurity firm.