Global Espionage Campaign Targets Governments and Critical Infrastructure in 37 Countries
Palo Alto Networks’ Unit 42 has uncovered a sweeping cyber espionage campaign attributed to a state-backed threat actor, tracked as TGR-STA-1030, which has breached at least 70 government agencies and critical infrastructure organizations across 37 countries over the past year. The campaign, likely orchestrated by an Asian government with tactics and objectives closely aligning with China’s strategic interests focuses on gathering intelligence on rare earth minerals, trade deals, and economic partnerships, posing significant risks to national security and essential services.
Between November and December 2023, the group conducted reconnaissance against government networks in 155 countries, demonstrating an unusually broad operational scope. Victims include Brazil’s energy ministry (a key player in rare earth mineral reserves), Greece’s Syzefxis Project (a digital public services initiative), Mongolia’s police agency (breached ahead of high-level diplomatic meetings), and Taiwan’s power equipment industry. The hackers also targeted an Indonesian airline during negotiations with a U.S. aircraft manufacturer, coinciding with lobbying efforts by a Southeast Asian competitor.
Geopolitical motivations were evident in other attacks. Following the Czech Republic’s president meeting the Dalai Lama, the group scanned networks of the Czech military, police, parliament, and government bureaus. In Honduras, the hackers aggressively targeted 200 government IP addresses in late October 2023, just weeks before a presidential election where candidates signaled openness to restoring ties with Taiwan a move at odds with Beijing’s interests.
The threat actor employs sophisticated tradecraft, including:
- DiaoYu, a phishing-delivered malware loader that evades antivirus detection before deploying Cobalt Strike.
- Exploitation of vulnerabilities in Microsoft Exchange Server, SAP Solution Manager, and other enterprise software.
- ShadowGuard, a stealthy Linux rootkit that operates within the eBPF kernel space, manipulating system functions and logs to evade detection.
The group’s infrastructure relies on multi-tiered obfuscation, though some attacks originated from China Mobile Communications Group IP addresses, further suggesting Chinese involvement. Active since at least January 2024, TGR-STA-1030 remains a persistent threat to governments and critical infrastructure worldwide.
Ministry of Finance - Brazil cybersecurity rating report: https://www.rankiteo.com/company/ministry-of-finance---brazil
PC PROJECT cybersecurity rating report: https://www.rankiteo.com/company/pc-project-gre
"id": "MINPC-1770331735",
"linkid": "ministry-of-finance---brazil, pc-project-gre",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Energy',
'location': 'Brazil',
'name': 'Brazil’s energy ministry',
'type': 'Government Agency'},
{'industry': 'Public Services',
'location': 'Greece',
'name': 'Greece’s Syzefxis Project',
'type': 'Government Initiative'},
{'industry': 'Law Enforcement',
'location': 'Mongolia',
'name': 'Mongolia’s police agency',
'type': 'Government Agency'},
{'industry': 'Energy/Utilities',
'location': 'Taiwan',
'name': 'Taiwan’s power equipment industry',
'type': 'Industry'},
{'industry': 'Aviation',
'location': 'Indonesia',
'name': 'Indonesian airline',
'type': 'Corporation'},
{'industry': 'Defense/Law Enforcement/Government',
'location': 'Czech Republic',
'name': 'Czech military, police, parliament, and '
'government bureaus',
'type': 'Government Agencies'},
{'industry': 'Government',
'location': 'Honduras',
'name': 'Honduras government',
'type': 'Government'}],
'attack_vector': ['Phishing',
'Exploitation of vulnerabilities in enterprise software'],
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Intelligence on rare earth '
'minerals',
'Trade deals',
'Economic partnerships',
'Diplomatic communications']},
'date_detected': '2024-01',
'description': 'Palo Alto Networks’ Unit 42 uncovered a cyber espionage '
'campaign attributed to a state-backed threat actor, '
'TGR-STA-1030, which has breached at least 70 government '
'agencies and critical infrastructure organizations across 37 '
'countries. The campaign focuses on gathering intelligence on '
'rare earth minerals, trade deals, and economic partnerships, '
'posing significant risks to national security and essential '
'services.',
'impact': {'data_compromised': 'Intelligence on rare earth minerals, trade '
'deals, economic partnerships, and diplomatic '
'communications',
'operational_impact': 'Significant risks to national security and '
'essential services',
'systems_affected': ['Government networks',
'Critical infrastructure']},
'initial_access_broker': {'high_value_targets': ['Government networks',
'Critical infrastructure'],
'reconnaissance_period': 'November - December 2023'},
'investigation_status': 'Ongoing',
'motivation': ['Geopolitical intelligence gathering', 'Economic espionage'],
'post_incident_analysis': {'root_causes': ['Sophisticated phishing campaigns',
'Exploitation of unpatched '
'vulnerabilities in enterprise '
'software',
'Use of stealthy malware (DiaoYu, '
'ShadowGuard)']},
'references': [{'source': 'Palo Alto Networks’ Unit 42'}],
'response': {'third_party_assistance': 'Palo Alto Networks’ Unit 42'},
'threat_actor': 'TGR-STA-1030',
'title': 'Global Espionage Campaign Targets Governments and Critical '
'Infrastructure in 37 Countries',
'type': 'Cyber Espionage',
'vulnerability_exploited': ['Microsoft Exchange Server',
'SAP Solution Manager']}