According to investigative journalists working for the New York Times, two schools in China have been linked to the attack, which may have begun as early as April last year – far sooner than investigators had thought.
Shanghai Jiaotong University is said to have been one of the institutions involved. The school houses one of China's most prestigious computer science courses. The other institution, the Lanxiang Vocational School, has ties to the military and trains some of its computer scientsts, according to experts.
According to the Dark Visitor blog, operated by Scott Henderson, an expert on the Chinese hacker community, Shanghai Jiatong University has hosted lectures under the title "Hacker in a nutshell", given by Peng Yinan, an expert in information security. Henderson's ebook, also called Dark Visitor, ties the University to a group founded in 2000 by a hacker nicknamed coolswallow, who Henderson's blog alleges is Yinan. The group, called Javaphile, became a cell of the cyber-activist group the Red Hacker Alliance, according to Henderson. The Red Hacker Alliance is a network of patriotic hackers, formed in the late 1990s, that has in the past focused on attacking foreign interests for political purposes.
The US-China Economic and Security Review Commission (USCC) published a report in November describing the creation of cyberwarfare militia units by the People's Liberation Army, "comprised of personnel from the commercial information technology sector and academia ... represent[ing] an operational nexus between PLA [computer network operations] and Chinese civilian information security professionals."
Evidence of the schools' involvement in the Operation Aurora attack was gathered with the help of a military contractor that had been a target of the attack, discovered in January.