In the report that the cybersecurity firm published in February and that tied the group to Unit 61398 of the People’s Liberation Army they expressed the belief that the group will simply change their attack techniques and continue to do what they did best: compromising business systems of (mostly) U.S. companies and stealing intellectual property.
As it turns out, they were right. After a few months of extremely little activity, the group has launched new attacks.
"APT1 is still active using a well-coordinated and well-defined attack methodology against a wide set of industries — with a discernible post-report shift towards new tools and infrastructure," the company says.
According to a report requested from Mandiant by the NYT, the group has slowly rebuilt its attack infrastructure by targeting mostly small ISPs and online shops, and is now operating at 60-70 percent of the level they were working at before.
The company says that the group has minimally changed the malware they used in the first attacks and are have again managed to compromise some previously attacked targets. Mandiant is prevented by contract from sharing which, but we know that Coca Cola, RSA, and Lockheed Martin (but not the New York Times) were among the ones targeted in the first place.
But the thing that I would like to know the most - and it isn't addressed at all - is how did they actually manage to do it again, considering that the targets must have upped their defenses after those initial compromises.