The Scale
A state-aligned cyber espionage group has compromised at least 70 government and critical infrastructure organisations across 37 countries, according to Palo Alto Networks Unit 42. The crew, tracked as TGR-STA-1030, maintained access to several victims for months while exfiltrating sensitive data.
Targets included five national police or border agencies, three finance ministries, one national parliament, and multiple telecommunications providers. Unit 42 confirmed the attackers stole financial negotiations, banking information, and military operational updates.
Between November and December 2025, the group conducted reconnaissance against 155 governments across Americas, Europe, Asia, and Africa. In July 2025, they probed over 490 German government IP addresses in a concentrated operation.
The Methods
Entry vectors included phishing emails and exploitation of known vulnerabilities in Microsoft Exchange, SAP, and Atlassian products. One February 2025 phishing campaign targeted European governments with lures about ministry reorganisation, hosting malicious files on mega.nz. An Estonian government entity uploaded a related archive to VirusTotal.
The group's toolkit includes a new Linux kernel rootkit, suggesting sophisticated capability development. Unit 42 Director Pete Renals said the team observed "active reconnaissance" but declined to name the sponsoring nation, referring only to an "Asia-based" actor.
The Context
This represents one of the largest state-sponsored espionage campaigns since SolarWinds in 2020. The US and UK appear unaffected. CISA confirmed it's tracking TGR-STA-1030 and coordinating with government and industry partners on vulnerability mitigation.
The operational security was notable. Victims included a power supplier in Taiwan and an Indonesian airline during US aircraft negotiations, suggesting intelligence collection aligned with economic and geopolitical interests including rare earth minerals and trade policy.
For infrastructure operators: the attackers used multi-tiered infrastructure and China Mobile IP addresses, according to Unit 42's technical analysis. The pattern suggests persistent access to critical systems went undetected for extended periods.
The reconnaissance phase alone, scanning 155 countries in two months, indicates significant resources and systematic targeting. CISA is coordinating patches, but the group remains active as of this report.