Hackers breach govt systems in 37 countries in vast spying plot

A hacking group broke into government systems in 37 countries, nearly a fifth of the planet, in one of the largest coordinated cyber espionage campaigns ever recorded, Pete Renals, director of National Security Programs at Palo Alto Networks’ Unit 42, told ET in an exclusive interview.

The findings are part of Unit 42’s latest report, The Shadow Campaigns: Uncovering Global Espionage. The investigation uncovered a coordinated hacking campaign that broke into government and critical infrastructure networks across 37 countries, including India, while scanning systems in 155 countries within just two months, November to December 2025. The breaches gave hackers access to sensitive information on trade negotiations, military operations, and international funding, the recport claims. This intelligence could shape real-world economic and diplomatic outcomes.

India was among the targeted nations, though Renals said the breach was contained quickly. “In India’s case, the activity we saw was short and contained quickly, less than a week,” he said. “Overall, India’s digital systems are more modern and resilient than many we observed.”


The report tracks the hacking group identified as TGR-STA-1030 that focused on ministries handling finance, energy, trade, telecom services, and law enforcement. The attackers used phishing emails disguised as official government communications and took advantage of old software weaknesses to gain access.

“What makes this different is the scale,” Renals said. “Most campaigns we investigate impact one or two organisations. Here we are talking about a fifth of the world being touched over a year through very targeted efforts.”

The hacking activity often increased around major political events, trade negotiations, and natural resource deals. This suggests the group was seeking inside information that could help shape real-world decisions.

Once inside government networks, the attackers moved quickly to official email systems, copying entire inboxes of senior officials. “They go straight for email because that’s where the real intelligence is,” Renals said. “In longer cases, they come back every couple of weeks to pull fresh data.”

A key concern is that most break-ins did not involve advanced hacking techniques. Instead, the group relied on well-known software flaws that had not been fixed. “They are not using flashy new vulnerabilities,” Renalssaid. “They use older ones because fewer people are watching them closely. That makes their operations quieter and harder to track.”

The campaign raises questions about digital sovereignty and economic security. The report shows attackers targeting countries involved in critical mineral negotiations, rare earth mining, and semiconductor supply chains.

“Many agencies don’t fully know what systems are connected to the internet,” Renals said. “Basic steps like tracking online assets, patching weaknesses, and removing unused services can prevent a large number of these attacks.”

Unit 42 has shared its findings with affected governments and security partners worldwide to help strengthen defences against similar espionage campaigns.