Palo Alto Networks, a leading U.S. cybersecurity firm, deliberately avoided attributing a global cyberespionage campaign to China in a report released last week, opting instead to describe the perpetrators as a “state-aligned group that operates out of Asia” due to concerns over potential retaliation from Beijing, according to two sources familiar with the matter.
The decision, detailed in a February 12, 2026, Reuters exclusive, reflects the precarious position cybersecurity companies find themselves in when publicly linking state-sponsored hacking to powerful nations like China, where such attributions could lead to business bans or other reprisals. Palo Alto’s report, published on September 30, 2025, revealed that hackers had breached email servers of foreign ministers as part of a years-long effort targeting diplomats worldwide, accessing Microsoft Exchange servers to search for sensitive information at some foreign ministries. The company’s Unit 42 threat intelligence division, which has tracked the group for nearly three years, stopped short of naming China despite internal findings pointing in that direction, the sources said.
This cautious approach comes amid broader tensions, including China’s January 2026 ban on cybersecurity software from U.S. firms like Palo Alto Networks, Broadcom-owned VMware, and Fortinet, as well as Israeli companies such as Check Point Software Technologies, citing national security concerns. The ban targeted firms that have previously implicated China in hacking operations, which Beijing denies. For instance, in September 2025, Palo Alto published a report alleging a Chinese hacking effort targeted diplomats worldwide, and Check Point detailed an allegedly Chinese-linked operation against a European government office last month.
Experts note that attributing state-sponsored cyberespionage carries significant risks for firms with operations or clients in the accused country. Palo Alto’s shares remained virtually flat following the Reuters report, while broader market reactions to China’s bans saw Broadcom fall more than 4% and Fortinet drop over 2% in January 2026 trading. The company did not respond to requests for comment on the attribution decision.
This incident highlights escalating U.S.-China cyber tensions, with U.S. agencies like CISA warning in September 2025 that PRC state-sponsored actors are targeting global networks, including telecommunications and critical infrastructure in 37 countries. A separate December 2025 report linked suspected Chinese hackers to backdooring Palo Alto firewalls for espionage.
As attribution debates intensify, with firms weighing commercial risks against transparency, this case could prompt broader discussions on how cybersecurity companies navigate geopolitical minefields while protecting global users from state-backed threats.
