Day said that Symantec had also been tracking APT1 for six years.
"We can see consistency in the codes that were behind it, and the source sites which [the group] were using and where they were hosting from, but does it add any value for us whether it is a government group, a state-sponsored group or a military group? It's not our focal area," he said.
But added that the firm is now working more with government to get this information to them.
"We would always reach out to the ISP to say ‘we think your site is compromised, you should shut it down and here is why', and work with law enforcement and say ‘here is the evidence we've got, you may want to take this further'," he said.
Day gave an example of the Taiwanese government updating some of its military capabilities as evidence that any situation could be seen differently by a number of nations.
"As the Taiwanese government were going out to tender, we could see traffic going back to the US, Taiwan, China and other countries as well, but obviously someone was trying to get in the middle of that bid process," he said.
"You could argue it was a company trying to outbid everyone else or that it was one of the other nations trying to understand what Taiwan's future capabilities were going to be. People can look at it from so many different angles. It was interesting in that they were trying to update their military capability and cyber was used as a sub-part of that process," he added.
The bug was introduced seven years ago and only fixed last week
Thirteen other bugs were also fixed in the new update
Six zero-days have been observed in active attacks
The malware's aim is to open a backdoor into Kubernetes clusters to run malicious containers