Ask longtime cybercrime expert Steve Santorelli,a spokesperson with researchers Team Cymru, about the many hackingexpeditions targeting the US that appear to originate in China andthe bottom line is: “This is very disturbing. We have never seenanything this sophisticated.”

Know this: Unlike many others in IT security, Santorelli avoidsbold-faced headlines and scare tactics. A onetime London policeman,he is a just-the-facts kind of guy. When he tells you he is veryconcerned – be afraid, be very afraid.

The maddening characteristic of Chinese hacks: You may neverknow they were there because they typically steal nothing. But theycopy a lot. Imagine you have a mid-sized business customer that isnegotiating a deal with a Chinese entity. It's becoming nearly adead-on certainty, said numerous sources, that there will besurreptitious probes into the company's financial accounts.

Think about the leverage that gives the other side in anegotiation.

Or think about copying account information for key U.S.legislators, or staffers, and hunting for details about where theyspend money, on what, and are there obvious personalweaknesses?

“One critical point – it can't be overstated – when something ismissing you know it is missing. When data is stolen, you don'tnecessarily know. The risks are what we don't know,” said JosephSteinberg, CEO of security firm Green Armour Solutions inHackensack, N.J.

In a recent survey by global IT association ISACA, 93.6% of respondentssaid APTs – advanced persistent threats of the kind unleashed byChina – pose a “serious threat.”

They are called APTs because the Chinese hackers try and tryagain. Thwart their entry once and tomorrow they are back with anew gambit and ditto for the day after. With high-value targetstheir patience is seemingly infinite.

Especially worrisome is that the ISACA survey found that 60+% ofrespondents said their organizations were prepared to deal withAPTs – but the technologies they cited as having on hand are oflittle use against highly sophisticated attacks.

Anti-virus and firewalls, the tools commonly cited byrespondents, are close to useless in fighting against the Chinesegovernment hackers, a fact illustrated by the roster of recent APTvictims, which includes the New York Times,Washington Post, U.S. Department of Energy, and mostinside-the-Beltway think tanks. All had top-drawer anti-virus andfirewalls of course. But they got penetrated nonetheless.

The question, said the Washington Post, isn't whohasn't been hacked – it's whether the Chinese have the analyticaltools to make sense of the huge volumes of data they collect everyhour of the day.

The other question becomes, how prepared are credit unions toward off APT? The answer – from multiple security sources – is thatmost have essentially no protections of value in place.

“They can penetrate pretty much anywhere,” said Ken Baylor, avice president at security firm NSS Labs.

“Seeing the breadth and depth of the Chinese attacks I don'tthink anyone is adequately defended against them,” said AriElias-Bachrach, a security consultant with Defensium in SilverSpring, Md., whose past work includes stints at very large creditunions. (He declined to discuss specifics of those institution'sdefenses.)

Right now, the question raised by savvy credit union CIOs is,exactly what can we do to block these hacks? Some admit they noware detouring all traffic that originates in China but that won'twork longtime because hackers with these skills can spoof theirpoint of origin, making it seem they are in your hometown if theywish.

So what should a credit union do? Security experts advocate thatnow is the time when a systematic rethink – that considers both APTand DDoS – has become critical for financial institutions.

Adding urgency, many security experts also are predicting thatmore attacks will shift to smaller FIs – read “credit unions” –precisely because the money center banks have taken large stepstowards toughening their perimeters.

That doesn't mean the attacks will stop. It means, said theexperts, the attackers will shift their target to easier marks. Andthat could be very bad news indeed for credit unions.