Palo Alto Avoids Linking China to Hacking Campaign Due to Retaliation Concerns: Sources
Palo Alto Networks recently chose not to directly link China to a significant global cyberespionage campaign that the firm revealed last week. This decision stemmed from concerns that the cybersecurity company or its clients might face retaliation from Beijing, according to two sources familiar with the situation.
According to these sources, Palo Alto’s initial findings, which indicated a connection between China and the extensive hacking spree, were moderated after reports surfaced that the company was among approximately 15 U.S. and Israeli cybersecurity firms whose software had been banned by Chinese authorities on national security grounds.
A draft report from Palo Alto’s Unit 42, the company’s threat intelligence division, initially identified the prolific hackers—referred to as “TGR-STA-1030”—as being linked to Beijing. However, the final report described the group more ambiguously as a “state-aligned group that operates out of Asia.”
Attributing sophisticated hacks is notoriously challenging, and debates about how to assign blame for digital intrusions are common among cybersecurity experts. Palo Alto has previously attributed hacks to China, including a report from September. Sources indicated that Unit 42’s researchers were confident, based on extensive forensic evidence, that the newly uncovered hacking campaign was also linked to China.
The decision to soften the report’s conclusions was reportedly made by Palo Alto executives, who were concerned about the software ban and the potential for retaliation from Chinese authorities against the company’s personnel in China or its clients elsewhere.
While the sources did not disclose which executives made the decision to alter the report, they spoke on the condition of anonymity due to the sensitive nature of the matter. When asked about the softened language, Palo Alto issued a statement to Reuters asserting that “attribution is irrelevant.”
Palo Alto’s vice president of global communications, Nicole Hockin, later clarified in emails that the lack of attribution in the report was not related to “procurement regulations in China,” and any suggestion to the contrary was “speculative and false.” She emphasized that the language choice in the report aimed to “best inform and protect governments about this widespread campaign.”
The Chinese Embassy in Washington responded by opposing “all forms of cyberattacks,” stating that attributing hacks is “a complex technical issue.” They expressed hope that relevant parties would adopt a professional attitude, basing their characterizations on sufficient evidence rather than unfounded speculation.
‘THE SHADOW CAMPAIGNS’
Palo Alto first detected the hacking group TGR-STA-1030 in early 2025, as detailed in the report. This extensive effort, dubbed “The Shadow Campaigns,” allegedly involved reconnaissance against nearly every country globally, successfully infiltrating government and critical infrastructure organizations in 37 nations.
Although China was not explicitly mentioned, attentive readers might infer Beijing’s involvement. The report noted that the hackers operated within the GMT+8 time zone, which includes China, and focused on Czechia’s government infrastructure following a meeting between Czechia’s president and the Dalai Lama. Additionally, the hackers targeted Thailand ahead of a significant diplomatic visit, hinting at strategic motivations.
External researchers reviewing Palo Alto’s report noted similar activities attributed to Chinese state-sponsored espionage. “Our assessment is that this is part of a broader pattern of global campaigns linked to China that seek intelligence and persistent internal access to organizations of interest to” Beijing, stated Tom Hegel, a senior threat researcher with SentinelOne.
Palo Alto maintains five offices in China, including locations in Beijing, Shanghai, and Guangzhou, with over 70 self-identified employees listed on LinkedIn. This incident highlights the complex trade-offs cybersecurity companies face when deciding whether to expose state-sponsored cyberespionage campaigns. While naming foreign spies can garner industry recognition, it may also provoke retaliation.
“People have always taken risks by naming names,” remarked Thomas Rid, a professor at Johns Hopkins University. “If you have people on the ground, like large companies do, that’s an additional consideration. Are you putting your own people – your local staff – at risk?”
Interested in Cyber?
Get automatic alerts for this topic.
Palo Alto Networks recently chose not to directly link China to a significant global cyberespionage campaign that the firm revealed last week. This decision stemmed from concerns that the cybersecurity company or its clients might face retaliation from Beijing, according to two sources familiar with the situation.
According to these sources, Palo Alto’s initial findings, which indicated a connection between China and the extensive hacking spree, were moderated after reports surfaced that the company was among approximately 15 U.S. and Israeli cybersecurity firms whose software had been banned by Chinese authorities on national security grounds.
A draft report from Palo Alto’s Unit 42, the company’s threat intelligence division, initially identified the prolific hackers—referred to as “TGR-STA-1030”—as being linked to Beijing. However, the final report described the group more ambiguously as a “state-aligned group that operates out of Asia.”
Attributing sophisticated hacks is notoriously challenging, and debates about how to assign blame for digital intrusions are common among cybersecurity experts. Palo Alto has previously attributed hacks to China, including a report from September. Sources indicated that Unit 42’s researchers were confident, based on extensive forensic evidence, that the newly uncovered hacking campaign was also linked to China.
The decision to soften the report’s conclusions was reportedly made by Palo Alto executives, who were concerned about the software ban and the potential for retaliation from Chinese authorities against the company’s personnel in China or its clients elsewhere.
While the sources did not disclose which executives made the decision to alter the report, they spoke on the condition of anonymity due to the sensitive nature of the matter. When asked about the softened language, Palo Alto issued a statement to Reuters asserting that “attribution is irrelevant.”
Palo Alto’s vice president of global communications, Nicole Hockin, later clarified in emails that the lack of attribution in the report was not related to “procurement regulations in China,” and any suggestion to the contrary was “speculative and false.” She emphasized that the language choice in the report aimed to “best inform and protect governments about this widespread campaign.”
The Chinese Embassy in Washington responded by opposing “all forms of cyberattacks,” stating that attributing hacks is “a complex technical issue.” They expressed hope that relevant parties would adopt a professional attitude, basing their characterizations on sufficient evidence rather than unfounded speculation.
‘THE SHADOW CAMPAIGNS’
Palo Alto first detected the hacking group TGR-STA-1030 in early 2025, as detailed in the report. This extensive effort, dubbed “The Shadow Campaigns,” allegedly involved reconnaissance against nearly every country globally, successfully infiltrating government and critical infrastructure organizations in 37 nations.
Although China was not explicitly mentioned, attentive readers might infer Beijing’s involvement. The report noted that the hackers operated within the GMT+8 time zone, which includes China, and focused on Czechia’s government infrastructure following a meeting between Czechia’s president and the Dalai Lama. Additionally, the hackers targeted Thailand ahead of a significant diplomatic visit, hinting at strategic motivations.
External researchers reviewing Palo Alto’s report noted similar activities attributed to Chinese state-sponsored espionage. “Our assessment is that this is part of a broader pattern of global campaigns linked to China that seek intelligence and persistent internal access to organizations of interest to” Beijing, stated Tom Hegel, a senior threat researcher with SentinelOne.
Palo Alto maintains five offices in China, including locations in Beijing, Shanghai, and Guangzhou, with over 70 self-identified employees listed on LinkedIn. This incident highlights the complex trade-offs cybersecurity companies face when deciding whether to expose state-sponsored cyberespionage campaigns. While naming foreign spies can garner industry recognition, it may also provoke retaliation.
“People have always taken risks by naming names,” remarked Thomas Rid, a professor at Johns Hopkins University. “If you have people on the ground, like large companies do, that’s an additional consideration. Are you putting your own people – your local staff – at risk?”
Interested in Cyber?
Get automatic alerts for this topic.
