Palo Alto Networks elected not to explicitly link a newly exposed, wide-ranging cyberespionage operation to China, according to two people familiar with the matter, after weighing the potential for retaliatory action that might affect the company or its customers.
Those sources said a draft Unit 42 report had asserted a connection between the hacking cluster dubbed TGR-STA-1030 and Beijing. The final, publicly released document instead used a more circumscribed characterization, calling the actor a "state-aligned group that operates out of Asia." The change followed last month’s announcement that Chinese authorities had banned software from around 15 U.S. and Israeli cybersecurity firms - a list that included Palo Alto - on national security grounds, the sources said.
Attributing sophisticated intrusions is inherently challenging and a frequent source of debate among threat researchers. Still, the sources told this publication that Unit 42 analysts were confident in their conclusions. They said forensic evidence uncovered during the investigation pointed toward a Chinese link. The sources declined to provide the precise wording that appeared in earlier drafts or to name the executives who instructed the report’s revision, citing a lack of authorization to discuss internal deliberations.
Palo Alto offered a public statement in response to questions about the language change. The company said, in part, that "attribution is irrelevant." In follow-up correspondence, the firm’s vice president of global communications, Nicole Hockin, clarified that this wording was intended to indicate that the decision not to attribute publicly bore no relation to procurement regulations in China, and that any implication otherwise was "speculative and false." Hockin added that the phrasing chosen in the report sought to balance "how to best inform and protect governments about this widespread campaign."
The Chinese Embassy in Washington responded to the disclosures by asserting its opposition to "all forms of cyberattacks" while noting that attributing intrusions is a complicated technical matter. The embassy urged involved parties to take a "professional and responsible attitude," and to ground any characterizations of cyber incidents on sufficient evidence rather than on what it called unfounded speculation.
What Palo Alto uncovered
According to the material prepared by Unit 42, the activity by the group identified as TGR-STA-1030 was first detected in early 2025. The campaign was labeled internally "The Shadow Campaigns" and, in the company’s assessment, involved reconnaissance operations in nearly every country, with successful intrusions into government and critical infrastructure entities across 37 countries.
Although the final report stopped short of naming a specific state, it included details that readers could interpret as consistent with Chinese-state activity. For example, researchers observed that the attackers’ operating hours tracked the GMT+8 time zone, which includes China. The report also highlighted targeting patterns such as operations against Czechia’s government infrastructure following an August meeting between the Czech president and the Dalai Lama, and an intrusion focused on Thailand on November 5 that preceded a diplomatic visit; the report noted that the subsequent week marked the Thai king’s first state visit to Beijing.
Outside researchers who reviewed the company’s analysis said they had observed parallels to campaigns they and others attribute to Chinese state-sponsored espionage. One senior threat researcher at an outside cybersecurity firm said his assessment is that the activity fits a broader pattern of global campaigns seeking persistent access and intelligence of interest to China.
Why the change matters
Sources told this publication that Palo Alto’s executives were motivated to soften the attribution language by concerns that an explicit linkage to Beijing could invite retaliatory measures, either targeted at the firm’s local staff in China or at its customers abroad. The change of language, according to those sources, was a risk-management decision intended to mitigate possible repercussions after the software ban by Chinese authorities.
Palo Alto maintains a physical presence in China, listing multiple offices in that country, including locations in Beijing, Shanghai and Guangzhou. Publicly accessible professional networking profiles identify more than 70 individuals who describe themselves as Palo Alto employees in China, across roles that include engineering and account management.
Those operational ties - and the presence of staff on the ground - are central to the trade-offs the company faced. An academic expert in cyber attribution said the situation illustrates a recurring dilemma: publicly naming state actors can enhance a company’s credibility and public profile, but it can also increase the risk faced by employees and customers when those actors have the capability to retaliate.
Broader implications
The incident highlights tensions that can arise when cybersecurity vendors with global operations produce public, technical assessments of sophisticated espionage campaigns. Firms with offices and employees in multiple countries must weigh the protective value of transparency against potential operational and human-security risks.
All parties quoted on the record emphasized the technical complexity of definitive attribution and the need for careful handling of sensitive intelligence. At the same time, analysts outside the company said that technical indicators in the report - including timing, targeting and geopolitical context - were consistent with patterns they have linked to Chinese-sponsored operations in other contexts.
Concluding note
The unfolding exchange between the cybersecurity industry, affected governments, and foreign authorities underscores the delicate balance firms must strike when disclosing high-stakes threat intelligence. In this case, a decision to temper public attribution appears to have been driven by a mix of confidence in forensic findings and pragmatic concerns about potential repercussions - concerns amplified by recent Chinese restrictions on foreign cybersecurity products.