The warning comes as a result of joint research by consultants PwC UK and BAE Systems' IT security arm, which also drew on expertise from the UK National Cyber Security Centre's (NCSC) Certified Incident Response (CIR) scheme.
The report suggests that the attacks have been taking place since at least 2014, with more activity than average in the past year.
The researchers say that the attackers are "widely known within the security community as ‘APT10'" and that the ‘Cloud Hopper' campaign the study identified was simultaneously used in targeted attacks against Japanese companies as well.
The report states that APT10 is widely recognised as a threat that emanates from China.
This is by no means the first campaign attributed to APT10, a group that has existed since at least 2009 and has been known to switch-its approach when needed. In 2013, following FireEye's disclosure of how the Poison Ivy malware family works, the group re-tooled before recommencing activities.
This is no one-person attack, either. APT10 is thought to have teams of people working in shifts on their own distinct areas of responsibility and expertise.
"As a result of our analysis of APT10's activities, we believe that it almost certainly benefits from significant staffing and logistical resources, which have increased over the last three years, with a significant step-change in 2016," the report claims.
"Due to the scale of the threat actor's operations throughout 2016 and 2017, we similarly assess it currently comprises multiple teams, each responsible for a different section of the day-to-day operations, namely domain registration, infrastructure management, malware development, target operations, and analysis."
The true goal of targeting IT service providers, according to the researchers, is to gain entry to the "unfettered and direct access" they should have to clients' networks, as well as the swathes of data they might also have stored.
The malware used by APT10 is classified in two different ways: tactical and sustained. The former (EvilGrab, ChChes, RedLeaves) is designed to be disposable and is delivered via a spear phishing attack.
Once successfully into a target system, the ‘sustained' malware (Poison Ivy, PlugX, Quasar) enables long-term remote access and the ability to carry out higher-level tasks.
Organisations that have fallen victim to APT10 in this attack have already been warned by the two companies and the NCSC, according to the BBC.
Software-defined networking can centralise management of your global network, improving security and helping to optimise applications
Electronics and computer chain the latest high street retailer to fall into difficulties
Incisive Media and Investec Asset Management supported fundraiser crosses Atlantic in 40 days
Alphabet's health sciences division Verily have been messing with AI algorithms