A cyberespionage operation compromised 37 governments worldwide

Unit 42, the threat intelligence division of the cybersecurity company Palo Alto Networks, published a report on February 5, 2026, detailing a cyberespionage campaign that compromised 70 institutions belonging to 37 governments worldwide. Likely state-sponsored, the threat actor, of Asian origin, also conducted “reconnaissance operations” across 155 countries. All continents were affected.

“Given the scale of the phenomenon, this is probably the most extensive and significant compromise of government infrastructure carried out by a state-sponsored group since SolarWinds,” said Pete Renals, Director of National Security Programs for Unit 42.

Among the compromised targets were public telecommunications companies, police services, counterterrorism departments, as well as numerous ministries—including the Ministries of the Interior, Foreign Affairs, Economy, Immigration, Justice, Mines, and Energy. Active since at least January 2024, the malicious infrastructure relied on a wide range of malware and intrusion techniques, adapted to the specific vulnerabilities of each target.

The attackers also adjusted their cyberespionage operations to major global geopolitical events. During the U.S. government shutdown in October 2025, they focused their activities on countries across the American continent. Following the capture of Venezuelan President Nicolás Maduro by the U.S. military in January 2026, the group carried out a “reconnaissance mission” against 140 IP addresses linked to the Venezuelan government.

Confirmed victims include institutions in Bolivia, Brazil, Germany, the Czech Republic, Cyprus, Greece, Estonia, as well as countries in the South China Sea region, notably Thailand and Vietnam.