The Snooping Dragon report (PDF) was written by Shishir Nagaraja from the University of Illinois at Urbana-Champaign, and Cambridge University's Ross Anderson.
The report focuses specifically on the hacking of PCs at various branches of the Office of His Holiness the Dalai Lama, and goes further than research into the GhostNet network revealed by Canadian researchers in explicitly blaming the Chinese government.
A combination of "well-written malware with well-designed email lures" was used by the Chinese government to collect actionable insight for its police and security services, the report states.
"The modus operandi combined social phishing with high-grade malware," the report said. "Few organisations outside the defence and intelligence sector could withstand such an attack and, although this particular case involved the agents of a major power, the attack could in fact have been mounted by a capable motivated individual."
The hackers apparently monitored discussion forums frequented by Dalai monks, and used the information to create convincing phishing emails complete with attachments that downloaded key-loggers to PCs at the Dalai Lama's offices.
"We assume that one monk clicked on an infected attachment, giving the attackers their first foothold," the report said.
The researchers have now warned that companies keeping sensitive information on networked computers "had better think long and hard", although they recognise that separating internet-connected PCs and devices which store sensitive data is not practical.
"What Chinese spooks did in 2008, Russian crooks will do in 2010, and even low-budget criminals from less developed countries will follow in due course," the report warned.
"In the medium term we predict that social malware will be used for fraud, and the typical company has really no defence against it. We expect that many crooks will get rich before effective countermeasures are widely deployed."
Rick Howard, director of security intelligence at managed security provider iDefense, explained that nearly all of his customers had reported attacks using common email attachments.
"But there is hope. With the correct intelligence and security programmes, these organisations can reduce the amount of risk, so that even if an enemy was successful at breaching the perimeter, the amount of damage to the network or the amount of information leaked would not be devastating," he said.
"The bottom line is that the organisational leadership must understand their risk model and take measures to protect the high danger – high impact risks. This can be done and is being done by well run organizations with a good security programs."