State-backed hackers snooped on global ministries, critical infrastructure: Report
A major cyber spying operation, believed to be backed by a government, has hit 70 government and critical infrastructure organizations in 37 countries and has been active since at least January 2025.
The Asia-based group behind it—TGR-STA-1030—went after ministries handling finance, law enforcement, energy, trade, and more to gather intel on things like financial deals and military moves.
Hackers exploited known vulnerabilities in Microsoft Exchange, Windows systems
Big targets included Brazil's Ministry of Mines and Energy, the Czech Parliament and military, and an Indonesian airline.
The hackers used phishing emails with a tool called DiaoYu to sneak in Cobalt Strike malware.
They also exploited security holes in Microsoft Exchange, SAP, D-Link devices and Windows systems—at least 15 known vulnerabilities.
Some breaches were contained quickly, international agencies are now helping
Unit 42 discovered a stealthy Linux eBPF rootkit called ShadowGuard, and the group maintained access to several victims for months and accessed email data.
Their activity showed increased scanning in late 2025 (notably November-December 2025).
Security experts note clues like China Mobile IPs and activity aligned with GMT+8 operating hours, which Unit 42 says is consistent with state alignment.
Some breaches were contained quickly—India's was stopped within a week—and international agencies are now helping affected countries respond.