There are common methods and goals to the attacks. They usually start with phishing to trick someone into compromising the company network (often using political bait), and then use a mix of custom and off-the-shelf malware to collect info. They'll often stay undetected by "living off the land" with the victim's own software, such as system admin tools. The intuders are primarily looking for code signing certificates and "software manipulation," according to the report.

The perpetrators also make occasional mistakes, and it's those slip-ups that helped identify the Chinese origins. They normally use command-and-control servers to hide, but they inadvertently accessed some machines using IP addresses from China Unicom's network in a Beijing district.

Even with these mistakes, the Winnti umbrella is an "advanced and potent threat," 401TRG said. It's also a not-so-subtle reminder that China's state-backed hacking efforts are deeper than they seem at first glance -- hacks that appear to be one-off incidents may be linked if you look for subtler similarities.