The Shadow Campaigns Carrying Out Global Espionage

Palo Alto Networks Unit 42 has published a new report about large-scale cyber espionage activities, called the Shadow Campaigns.

The research shows that a state-linked threat group has been active for more than a year and has targeted government and critical infrastructure organizations in many countries around the world.

Key points from the report:

- Organizations in dozens of countries were affected.

- Targets included government agencies, border control, law enforcement, and finance departments.

- Attackers often used phishing emails and known system weaknesses to get access.

- The activity shows long-term spying, not quick attacks.

This report is a strong reminder that cyber espionage is real and ongoing. Even well-protected organizations can be targets, which makes awareness and good security practices more important than ever.

https://bit.ly/3ZHAO5T

Keynotes:

"This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. Further, between November and December 2025, we observed the group conducting active reconnaissance against government infrastructure associated with 155 countries."

"In addition to phishing campaigns, the group often couples exploitation attempts with their reconnaissance activities to gain initial access to target networks. To date, we have not observed the group developing, testing or deploying any zero-day exploits. However, we assess that the group is comfortable testing and deploying a wide range of common tools, exploitation kits and proof-of-concept code for N-day exploits."

"We assess that the group relies heavily on a mix of command-and–control (C2) frameworks and tools common to the actors’ region to move laterally and maintain persistent access within compromised environments."

"The group’s reconnaissance efforts shed light on its global interests. We have also observed the group's success at compromising several government and critical infrastructure organizations globally. We assess that over the past year, the group compromised at least 70 organizations across 37 countries,..."

Askul Ransomware and Data Breach

Let’s start with the cliché that too often proves true: "Put essential cybersecurity measures in place before the moment arrives when prevention is no longer possible."

Askul, a major Japanese e-commerce and logistics company, has finally restarted part of its online services after a ransomware attack shut them down for 45 days. During this time, the company could not process normal orders or ship products to customers. Can you imagine your company not earning revenue for more than six weeks because of one cyber incident?

The attack did more than disrupt operations — it also led to a data breach. Customer names and contact information were exposed, and some of the leaked data even appeared online. Askul had to fall back to a temporary, very limited ordering system using fax, offering only 37 basic items. What would your organization do if it suddenly had to return to pen-and-paper processes just to keep business moving?

As of early December (2025), Askul restored its Warehouse Management System with stronger security controls and reopened online ordering for corporate clients. However, deliveries are still slower than before, and its consumer-facing services are not yet operational. The company also delayed its financial reporting as it tries to understand the full impact of the disruption. Would your business survive a similar delay in sales, logistics, and reporting?

This incident shows how a single ransomware attack can have long-lasting effects, not only on technology but on revenue, trust, and daily operations. It’s a reminder that cybersecurity is not just an IT problem — it is a business survival problem. If this happened to you tomorrow, would your company be ready?

https://bit.ly/4oJ4edM

Headlines:

"On October 19 (2025), the company found itself infected by ransomware and the next day advised it couldn’t accept orders or ship products. On October 22 (2025) the company said its Warehouse Management System was the problem, which meant it had to suspend its logistics services.

On October 30th (2025), the company revealed the attack led to a major data breach, with customers’ names and contact details leaked..."

"The incident is broadly comparable to the ransomware attack on British retailer Marks & Spencer, which cost it £136 million ($177.2 million) to clean up and saw profits slump.

Askul will have a similar bill to pay, and it may well be larger because the company’s initial outage ran for a few days more than Marks & Spencer’s, and full recovery also looks like it will take longer."

JLR Cyberattack Slowed Down UK's GDP Growth

We usually think of cyber attacks as issues that disrupt individual companies. But have you ever considered that a single cyber incident could slow down the GDP growth of a developed country?

It may seem unlikely, yet it has already happened. In September 2025, Jaguar Land Rover (JLR) suffered a major cyber attack that forced the company to halt production for an entire month.

This event didn’t only affect JLR’s operations, it also contributed to slower economic growth in the United Kingdom. It’s a strong reminder that cyber threats can have real and measurable impact on a nation’s economy.

https://bit.ly/4r7E2Mr

Headlines:

"The Bank of England (BoE) has cited the cyberattack on Jaguar Land Rover (JLR) as one of the reasons for the country's slower-than-expected GDP growth in its latest rates decision."

"Weaker exports to the US, plus JLR's cyberattack, which was so damaging that the government had to step in and offer financial support, were the two reasons given by the BoE for this slower growth.

This is thought to be the first case in which a cyberattack has caused material economic and fiscal harm to the UK.

According to the most recent report from the Office for Budget Responsibility (OBR), dated 2021, while cyberattacks are a growing threat to Britain, none had caused sufficient disruption to adversely impact the entire economy."

"Economists previously estimated the harm to JLR alone could be north of £2 billion in lost revenues"

"JLR's cyber-instigated shutdown in September (2025) followed a rough few months for UK businesses, which were battered by major cyberattacks over the summer."

PowerSchool Hack

A 19-year-old college student from Massachusetts, has been sentenced to four years in prison after pleading guilty to hacking PowerSchool, a software platform used by schools across the United States to manage student information. He gained unauthorized access to the system and stole a massive amount of sensitive data belonging to 60 millions students and 9 million teachers; including personal identifiers, medical details, and educational records.

After gaining access, he contacted the company and demanded $2.85 million in Bitcoin (30 bitcoin), threatening to release the stolen data online if his ransom demand was not met.

PowerSchool confirmed that multifactor authentication (MFA) was not enabled on some of its systems at the time of the incident. This admission became a key detail in understanding how he was able to compromise the system so effectively.

https://bit.ly/4hcfhKo

Headlines:

"...He accessed databases belonging to the company PowerSchool that had information on more than 60 million students and nine million teachers."

"Sensitive data, including students’ Social Security numbers, special education status, medical conditions and parental restraining orders, were exposed in the hack, which PowerSchool made public in January."

"Last month, Texas sued PowerSchool, saying the company broke state laws relating to deceptive trade practices and identity theft protection, including by misleading consumers into believing its shoddy security practices were 'state-of-the-art.'

PowerSchool has acknowledged the hack was enabled by the fact that it did not use multifactor authentication."

Flight Delays Across Europe Due To Cyber Attacks

 

Most of us don’t think much about cybersecurity—until it affects us directly. But the reality is: threats exist whether we’re aware of them or not.

Recently, cyberattacks caused flight delays in airport terminals across Europe. Imagine arriving at the airport, ready for your holiday, only to learn your flight is delayed or even cancelled for hours. Frustrating, right?

https://bit.ly/4pH2hjL

Headlines:

"Several of the largest airports in Europe, including London Heathrow, have been trying to restore normal operations over the past few days after an attack on Friday disrupted automatic check-in and boarding software.

The problem stemmed from Collins Aerospace, a software provider that works with several airlines across the world."

"Airports in Brussels, Dublin and Berlin have also experienced delays. While kiosks and bag-drop machines have been offline, airline staff have instead relied on manual processing."

"A spokesperson for Brussels airport said Collins Aerospace had not yet confirmed the system was secure again. On Monday, 40 of its 277 departing flights and 23 of its 277 arriving services were cancelled."