A formidable team of hackers under the command of the Chinese military have been launching a series of increasingly alarming cyberattacks against corporations and government agencies in the United States and elsewhere, a new study [pdf] by the Mandiant security firm alleges. The firm was hired by the NY Times Corporation after its news outlets were hacked, and today the Times published a troubling article about the hacking operations, which Mandiant has tracked to a single 12-story white office tower in Shanghai.

Security experts estimate that the hacking group, generally known as The Comment Crew, is led by a mysterious individual known as Midnight Fapper responsible for thousands of attacks around the world (although Mandiant does not believe the Comment Crew was responsible for recent attacks against the New York Times). The attacks go largely unreported, mainly because the high-profile victims don't want them to be publicized. Mandiant's analysis concludes the group's modus operandi is "spearphishing," a tactic using emails that place malware on target computers once the recipient clicks on a link in the email. The Times details one such attack against Coca-Cola:

As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy.

The attack on Coca-Cola began, like hundreds before it, with a seemingly innocuous e-mail to an executive that was, in fact, a spearphishing attack. When the executive clicked on a malicious link in the e-mail, it gave the attackers a foothold inside Coca-Cola’s network. From inside, they sent confidential company files through a maze of computers back to Shanghai, on a weekly basis, unnoticed.

But investigators are more alarmed that the latest attacks originating from that building in Shanghai go beyond stealing information to attempts to "manipulate American critical infrastructure: the power grids and other utilities." And the most troubling attack to date (that analysts know about) happened in Canada, where the Canadian arm of Telvent was attacked. Telvent creates software "that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems," the Times reports.

Telvent caught the attack before the hackers could take command of the systems, but the incident was a bold demonstration of The Comment Crew's sophistication and malicious intent. "This is terrifying because — forget about the country — if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent,“ one security analyst tells the Times. “It’s the holy grail."