Mandiant's report contends that it is certain about the location and source of what it calls the "most prolific" of more than 20 APT groups originating in China. "APT1 (also labeled "Comment Crew") is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006," the report said.
Mandiant has observed attacks since then against nearly 150 victims in a broad range of industries, that it has stolen terabytes of data from companies like Coca-Cola, and that it manages this campaign because "it receives direct government support."
It is not just commercial firms that are targets either. Mandiant said one was a company with remote access to more than 60% of oil and gas pipelines in North America. It said APT1 also attacked computer security firm RSA, which protects confidential corporate and government databases.
And while there was no proof yet of China being behind it, Apple said today that unknown hackers had infected the computers of some of its workers when they visited a website for software developers that had been infected with malware.
"In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate," the Apple report said.
China's defense ministry issued a carefully worded denial that it was behind the attacks, calling any such accusations "unprofessional and groundless ... without any conclusive evidence."
But the government reacted very quickly when a BBC crew started taking video of the 12-story building where the Mandiant report said Unit 61398 is housed. Andrew Pugh, writing for the Press Gazette, said the Chinese military detained the crew and confiscated their video footage.
Even assuming the attribution is accurate in this case, however, doesn't mean the overall problem has been solved. John Worrall, chief marketing officer at Cyber-Ark, calls attribution "a very difficult task."
"Very few organizations are up to the task. If you don't do it completely, you're on thin ice," he said. "And the bigger challenge is that very few have the ability to launch a counter attack, even if they've got the right target."
Other experts note that Mandiant has been investigating APT1 and other groups for years, and most organizations don't have the time or expertise to do even that much. And several posts during the day on Twitter said they expect other hacking groups to launch attacks using APT1 methods, to make it look like it comes from them.
Sign up for Computerworld eNewsletters.