By Raphael Satter and AJ Vicens
WASHINGTON, Feb 12 (Reuters) — Palo Alto Networks opted not to tie China to a global cyberespionage campaign the firm exposed last week over concerns that the cybersecurity company or its clients could face retaliation from Beijing, according to two people familiar with the matter.
The sources said that Palo Alto’s findings that China was tied to the sprawling hacking spree were dialed back following last month’s news, first reported by Reuters, that Palo Alto was one of about 15 U.S. and Israeli cybersecurity companies whose software had been banned by Chinese authorities on national security grounds.
A draft version of the report by Palo Alto’s Unit 42, the company’s threat intelligence arm, said that the prolific hackers — dubbed “TGR-STA-1030” in a report published on Thursday of last week — were connected to Beijing, the two people said. The finished report instead described the hacking group more vaguely as a “state-aligned group that operates out of Asia.”
Attributing sophisticated hacks is notoriously difficult and debates over how best to assign blame for digital intrusions are common among cybersecurity researchers. But Palo Alto has attributed hacks to China in the past, including as recently as this past September, and the sources told Reuters that Unit 42’s researchers were confident, based on a wealth of forensic clues, that the newly uncovered hacking campaign was tied to China too.
The change, the sources said, was ordered by Palo Alto executives because they were concerned by the software ban and feared drawing retaliation from Chinese authorities, either against the company’s personnel in China or its clients elsewhere.
The sources did not identify which executives made the decision to soften the report’s conclusions or provide the precise language that had been in the report ahead of the change. They spoke on condition of anonymity as they were not authorized to discuss the matter.
Asked to comment on the allegedly softened language, Palo Alto issued a statement to Reuters that said in part: “Attribution is irrelevant.”
Palo Alto’s vice president of global communications, Nicole Hockin, said in subsequent emails to Reuters that the statement was meant to communicate that the lack of attribution in Palo Alto’s report was not correlated with «procurement regulations in China» and that any suggestion otherwise was «speculative and false.» She said the choice of language in Palo Alto’s report reflected «how to best inform and protect governments about this widespread campaign.»