Exclusive: Palo Alto avoided linking China to hacking due to fears of Beijing's retaliation, sources reveal

• A draft report by Palo Alto's Unit 42 originally linked the hacking group 'TGR-STA-1030' to China, but executives ordered the language softened after China banned Palo Alto and about 15 other U.S. and Israeli cybersecurity firms' software on national security grounds
• The hackers successfully breached government and critical infrastructure organizations in 37 countries in what Palo Alto dubbed 'The Shadow Campaigns,' with forensic evidence pointing to China including GMT+8 timezone activity and targeting aligned with Beijing's diplomatic interests
• Palo Alto maintains five offices in China and lists over 1,000 employees there on LinkedIn, illustrating the trade-off companies with global footprints face between exposing foreign espionage and protecting local staff from potential reprisals

Summary

Key Development:

Palo Alto Networks deliberately avoided attributing a major global cyberespionage campaign to China in a report published last week, citing fears of retaliation from Beijing, according to two sources familiar with the matter. The company instead described the perpetrator as a "state-aligned group that operates out of Asia."

Main Facts:

• A draft report by Palo Alto's Unit 42 threat intelligence arm originally linked China to the hacking group "TGR-STA-1030"
• Executives ordered language changes following January news that Chinese authorities banned software from approximately 15 U.S. and Israeli cybersecurity firms, including Palo Alto, on national security grounds
• The "Shadow Campaigns" operation targeted nearly every country globally, successfully breaching government and critical infrastructure organizations in 37 countries
• The campaign was detected in early 2025

Evidence Pointing to China:

• Hacker activity aligned with GMT+8 time zone (includes China)
• Attacks targeted Czechia following the president's August meeting with the Dalai Lama
• Thailand targeted before a November diplomatic visit by China's premier
• External researchers from SentinelOne confirmed similar activity linked to Chinese state-sponsored operations

Company Exposure:

Palo Alto operates five offices in China (Beijing, Shanghai, Guangzhou) with approximately 470 employees in the country listed on LinkedIn, creating potential vulnerability to Chinese retaliation.

Market Implications:

The incident highlights risks cybersecurity firms face when attributing state-sponsored attacks, particularly companies with global operations. Experts note the trade-off between industry recognition for exposing threats versus potential reprisals affecting personnel and clients.