Though privately held and little known to the general public, Mandiant is one of a handful of U.S. cyber-security companies that specialise in attempting to detect, prevent and trace the most advanced hacking attacks, instead of the garden-variety viruses and criminal intrusions that befoul corporate networks on a daily basis.
But Mandiant does not promote its analysis in public and only rarely issues topical papers about changes in techniques or behaviours.
It has never before given the apparent proper names of suspected hackers or directly tied them to a military branch of the Chinese government, giving the new report special resonance.
The company published details of the attack programmes and dummy websites used to infiltrate U.S. companies, typically via deceptive emails.
U.S. officials have complained in the past to China about sanctioned trade-secret theft, but have had a limited public record to point to.
Mandiant said it knew the PLA would shift tactics and programmes in response to its report but concluded that the disclosure was worth it because of the scale of the harm and the ability of China to issue denials in the past and duck accountability.
The company traced Unit 61398’s presence on the Internet - including registration data for a question-and-answer session with a Chinese professor and numeric Internet addresses within a block assigned to the PLA unit - and concluded that it was a major contributor to operations against the U.S. companies.
Members of Congress and intelligence authorities in the United States have publicised the same general conclusions: that economic espionage is an official mission of the PLA and other elements of the Chinese government, and that hacking is a primary method.
In November 2011, the U.S. National Counterintelligence Executive publicly decried China in particular as the biggest known thief of U.S. trade secrets.
The Mandiant report comes a week after U.S. President Barack Obama issued a long-awaited executive order aimed at getting the private owners of power plants and other critical infrastructure to share data on attacks with officials and to begin to follow consensus best practices on security.