Symantec reports that attacks on organizations in the US, Japan, Taiwan and China carried out for the purpose of theft information and have been associated with an espionage group known as Palmerworm - also known as BlackTech - which has been running since 2013.
In some cases, the Palmerworm team maintained its presence on compromised networks for a year or more, often with the help of tactics that exploit legitimate software and tools, so as not to raise suspicions that something might be wrong - and thus creating less evidence that can be used to trace the origin of the attack.
Investigators have not been able to determine how hackers gained access to the network in this latest round of Palmerworm attacks, but previous campaigns have used his tactics. phear-phishing to endanger the victims.
However, it is known that malware development uses custom loaders and network authentication tools similar to previous campaigns Palmerworm, with investigators "quite confident" that they are the same team behind these attacks.
Palmerworm malware also uses stolen code signing certificates in payloads to make them look more legitimate. This tactic is also known to have been previously developed by team.
Malware provides intruders with a secret backdoor to the network and access is maintained using many legitimate ones tools, including PSExec and SNScan, which are exploited to move around the network without being detected. Meanwhile, the WinRAR used to compress files, facilitating extraction from the network of intruders.
Symantec has not assigned Palmerworm anywhere specifically, but Taiwanese officials have previously claimed that attacks can be connected to China. If so, it suggests that Chinese hackers have targeted a Chinese company as part of the campaign.
What is certain, however, is that the Palmerworm team is unlikely to stop working and will remain a threat for many years to come.
While the nature of advanced hacking campaigns means that they can be difficult to detect, organizations can protect themselves by having a clear picture of their network and knowledge of the common and unusual activity - and the exclusion of suspicious activity if necessary.