Palo Alto reportedly ordered to remove China's name from hacking investigation report due to fear of retaliation from China

Reuters reports that US security firm Palo Alto Networks has been ordered to remove the name of China from its investigative report into a massive hack, reportedly due to concerns about possible retaliation from the Chinese government.

Exclusive: Palo Alto chose not to tie China to hacking campaign for fear of retaliation from Beijing, sources say | Reuters

A draft report by Palo Alto Networks' Unit 42 threat intelligence division included language that the hacker group, dubbed 'TGR-STA-1030,' was linked to the Chinese government, but the final version of the report was rephrased as 'a state-aligned group operating in Asia.'

The change was made at the direction of Palo Alto Networks executives due to fears that Chinese authorities would retaliate against Palo Alto Networks employees in China or customers elsewhere, the people said. They did not disclose who made the decision to weaken the report's conclusions or what the exact wording was before the change.

Asked to comment on the reports that the report had been reworded, Palo Alto Networks told Reuters in a statement that 'attribution is not important.' Later, Nicole Hockin, Palo Alto Networks' vice president of global communications, explained that 'the statement was intended to convey that the company was not related to Chinese regulations,' adding that the idea that the company was afraid of Chinese regulations was 'speculative and false.'

The Chinese Embassy in the United States said, 'We oppose all forms of cyber attacks. Attributing attackers involves complex technical issues, and we hope that relevant parties will assess cyber incidents in a professional and responsible manner based on sufficient evidence, rather than unfounded speculation and accusations.'

Attributing sophisticated hacking attacks is extremely difficult, and there is frequent debate among security researchers about who is responsible for the attacks. However, a source told Reuters that Unit 42 researchers were confident that the attacks were linked to China based on a wealth of clues.

According to the report, Unit 42 first detected the hacker group TGR-STA-1030 in early 2025. In what they dubbed 'Shadow Campaigns,' the group allegedly conducted reconnaissance activities in nearly every country in the world and successfully infiltrated government agencies and critical infrastructure organizations in 37 countries.

Although the report does not explicitly name China, experts believe that China is likely involved, given that the hacker activity coincided with the GMT+8 time zone, which includes China, and that the attack appeared to be focused on Czech government infrastructure after the Dalai Lama, whom the Chinese government dislikes, met with the Czech president.

'When security companies publicly point out state-sponsored espionage activities, on the one hand, they gain praise and positive attention from the industry for exposing foreign espionage activities, but on the other hand, they may face retaliation by coming into conflict with foreign intelligence services,' the expert said, adding that naming names always carries risks.