A state-backed cyber espionage group has infiltrated dozens of government and critical infrastructure networks across 37 countries as part of a global operation known as “Shadow Campaigns.”
During November and December of last year, the threat actor also carried out large-scale reconnaissance against government-linked entities spanning 155 countries, significantly expanding its intelligence-gathering footprint.
Researchers from Palo Alto Networks’ Unit 42 report that the group has been operational since at least January 2024 and is believed, with high confidence, to be based in Asia. Until firm attribution is established, the actor is being tracked under the identifiers TGR-STA-1030/UNC6619.
The Shadow Campaigns activity has primarily targeted government ministries and agencies involved in law enforcement, border security, finance, trade, energy, mining, immigration, and diplomacy. Unit 42 confirmed successful compromises of at least 70 government and critical infrastructure organizations across 37 nations.
Impacted entities include organizations handling trade policy, geopolitical affairs, and election-related matters in the Americas; ministries and parliamentary bodies across several European countries; Australia’s Treasury Department; and multiple government and infrastructure organizations in Taiwan. Researchers noted that the selection of targets and timing appeared to align closely with region-specific political or economic events.
According to Unit 42, the group intensified scanning activity during the U.S. government shutdown in October 2025, focusing on entities across North, Central, and South America, including Brazil, Canada, the Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago.
Particularly notable was extensive reconnaissance against “at least 200 IP addresses hosting Government of Honduras infrastructure” just one month ahead of the country’s national elections, a period marked by political discussions around restoring diplomatic relations with Taiwan.
Unit 42 assessed that confirmed compromises included Brazil’s Ministry of Mines and Energy, a Bolivian mining-related entity, two Mexican ministries, government infrastructure in Panama, and an IP address linked to a Venezolana de Industria Tecnológica facility. Additional victims spanned government entities across Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal, and Serbia, along with an Indonesian airline, several Malaysian ministries, a Mongolian law enforcement organization, a major Taiwanese power equipment supplier, and a Thai government department likely associated with economic and trade data. Critical infrastructure organizations across multiple African nations were also affected.
The researchers further believe the actor attempted SSH connections to systems associated with Australia’s Treasury Department, Afghanistan’s Ministry of Finance, and Nepal’s Office of the Prime Minister and Council of Ministers. Beyond confirmed breaches, evidence suggests widespread reconnaissance and intrusion attempts in numerous other countries.
Unit 42 also observed scanning of Czech government infrastructure, including systems tied to the army, police, parliament, and several ministries. The group attempted to access European Union infrastructure as well, targ
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: