The Perfect Weapon
Page 13
The digital addresses of many of the hackers stealing terabytes of data from American corporations—everything from the designs of the F-35 aircraft to the technology of gas pipelines, from data collected by health-care systems to Google’s algorithms and Facebook’s magic formula—pointed straight back to Pudong, the run-down neighborhood of massage parlors and noodle joints surrounding the white building.
But the trail of evidence fizzled out there, at the level of the neighborhood. The Chinese had so clouded the final termination addresses of the hackers’ systems that it seemed impossible to trace the thefts back to any one building. That was driving Kevin Mandia, a wry former air force intelligence officer who was leading one of the several private investigations into Chinese intrusions, absolutely crazy. It seemed impossible that the hacks he was tracing came from anywhere but the highly defended high-rise. He just couldn’t prove it. Yet.
“Either these hackers are hanging out in the noodle shops and the massage places or they are working day and night in that building on Datong Road,” said Mandia late one day near his office in Alexandria, Virginia.
While Mandia was building a client base of more than a hundred companies and revenues of $100 million for his cybersecurity firm, Mandiant, he had been tracking a Chinese hacking group with clear ties to the PLA. Mandiant called the group “Advanced Persistent Threat 1 (APT1),” the awkward term the industry uses to identify and number malicious state actors in cyberspace that aren’t going away.
Mandia was certain the hackers were part of Unit 61398, but he also knew that accusing the Chinese military directly would constitute a huge step for his company. Over seven years, he had compiled a list of the unit’s suspected attacks on 141 companies across nearly two dozen industries, but he needed solid evidence before he could name them. Yet as long as none of his investigators could get inside the building, whether physically or virtually, to identify the thieves, the Chinese would keep denying that their military had been tasked with stealing technology for state-run Chinese firms.
Ever resourceful, Mandia’s staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients—mostly Fortune 500 companies—Mandia’s investigators reached back through the network to activate the cameras on the hackers’ own laptops. They could see their keystrokes while actually watching them at their desks.
The hackers, just about all of them male and most in their mid-twenties, carried on like a lot of young guys around the world. They showed up at work about eight-thirty a.m. Shanghai time, checked a few sports scores, emailed their girlfriends, and occasionally watched porn. Then, when the clock struck nine, they started methodically breaking into computer systems around the world, banging on the keyboards until a lunch break gave them a moment to go back to the scores, the girlfriends, and the porn.
One day I sat next to some of Mandia’s team, watching the Unit 61398 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts, and probably saw Mao only if they visited his mausoleum in Tiananmen Square. “They were such bros,” Andrew Schwartz, one of Mandia’s communications specialists, recalled later. “But they were prodigious thieves.” They were also thieves with multiple employers: some moonlighted as hackers for Chinese companies, making it unclear whether they were stealing on government or corporate orders.
This was what the new cold war between the world’s two largest economies looked like up close. It bore no resemblance to the more familiar conflicts of past decades: No one was arguing over the fate of Taiwan, or bombarding the tiny islands of Quemoy and Matsu, as Mao did in 1958, prompting the United States to reinforce its Seventh Fleet and consider whether it was worth going to war. For while China was still interested in staking its territorial claims—starting in the South China Sea—and keeping America at bay, it understood the keys to reemerging as a global power after a centuries-long hiatus: artificial intelligence, space technology, communications, and the crunching of big data. And of course, outmaneuvering its only real challenger, the United States.
Yet in Washington, three American presidents—Clinton, Bush, and Obama—had struggled to define exactly what China was in relation to the United States: A potential adversary? A sometime partner? A vital market for American goods? A growing investor in the United States? China was all of these, and more, which is what made it such an intractable and fascinating foreign-policy problem. Every time the White House considered calling the Chinese out for their thefts, there was the temptation to pull its punches. There were always countervailing interests: the State Department needed help on North Korea, the Treasury didn’t want to upset the bond markets, the markets didn’t want to see a trade war started. In the cyber realm, this meant holding back on naming the Chinese when they got caught in some of the biggest hacks in recent years.
Instead, objections would be raised with the Chinese in closed sessions at the annual “Strategic and Economic Dialogue,” assuring that any discussion would remain quiet. And they would almost always result in a scripted Chinese response: It’s not us, the officials would insist. It’s a bunch of teenagers, or criminals, or miscreants.
Even in 2013, as a frustrated President Obama prepared to sign a new executive order to bolster America’s response to cyber intrusions, he couldn’t quite bring himself to name the Chinese government as the chief offender. “We know hackers steal people’s identities and infiltrate private emails,” he said in his State of the Union address that year. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic-control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
Mandia was determined to do what the government wouldn’t do: publicly prove that the PLA was involved. He had come to the New York Times, over the objections of some of his colleagues, because he knew that an independent assessment of Mandiant’s work would give it more credibility. But his real goal seemed to be to goad the US government, and private industry, into action.
“I’m not sure this is the smartest thing to do,” he told me. “You know what the Chinese will do: They’ll put a big bull’s-eye on my back.”
But Mandia didn’t seem all that worried. The Chinese were different from the Russians. “They are into this stuff for the money, the technology, the military power,” he said to me. “You don’t see Chinese shutting down networks, though if we ever got into a war they certainly know how to do that. For them it’s pretty simple: They want control at home, and access to all the technology they can eat here.”
* * *
—
No one had expected the digital revolution in China to unfold in quite this way. In the 1990s, in the wake of Tiananmen Square and the subsequent government crackdown, it was an article of faith in Washington that the Internet would change China more than China would change the Internet. No one believed this more fervently than Bill Clinton. During a presidential visit to Beijing in 1998, he told students at Beijing University that the digital revolution meant one thing for them: more democracy, albeit with Chinese characteristics.
“Over the past four days, I have seen freedom in many manifestations in China,” he told the students, who sat there likely trying to figure out what the cost might be of applauding. “I have visited a village that chose its own leaders in free elections. I have also seen the cell phones, the video players, the fax machines carrying ideas, i
nformation and images from all over the world. I’ve heard people speak their minds….In all these ways I felt a steady breeze of freedom.”
Then came the core of the argument he had practiced on me and some other reporters at the White House before he left on the trip: “The freest possible flow of information, ideas, and opinions, and a greater respect for divergent political and religious convictions, will actually breed strength and stability going forward.”
Clinton told me after the trip that he emerged convinced that as China grew more connected, the Communist Party would weaken. He wasn’t alone. The writer and pro-democracy dissident Liu Xiaobo, who was in prison yet again during Clinton’s visit, later wrote that the Internet was “God’s gift to China.”
The Chinese president at the time, Jiang Zemin, listened to Clinton and clearly did not buy a word of it. Already Chinese leaders were thinking about how the West’s invention could be used as an instrument for social control at home and economic advantage abroad.
As the Chinese government became increasingly skilled at using cyber technology as a tool for both domestic surveillance and coercion, American companies looked the other way. For a while Westerners seemed willing to convince themselves that although the Chinese government cracked down on Chinese users of the Internet, it would let Westerners alone, as long as they were in their protected enclaves.
But the course was set. Every year, the Chinese imposed stricter requirements to ensure that their internal security forces knew exactly who was on the Chinese Internet, and what they were saying. Officials required that users employ their real names, not pseudonyms, and eventually told Internet companies that they would have to keep all servers handling Chinese traffic physically located within China. As the restrictions tightened, Western news organizations faced an inevitable choice: play by China’s rules, including complying with its expanding censorship requirements, or gradually get edged out of the world’s largest market. Bloomberg, among others, folded and agreed to censor.
Over the next few years, in many different forms, this drama would play out over and over, with Facebook and Uber, Apple and Microsoft. Each would have to make its peace with the China Rules: give the state access to your company’s information, and often your underlying technology, or get out.
Among the first to confront the problem was Google, whose experience taught every American company that China wasn’t hacking just for hacking’s sake: it had an intelligence angle and a political agenda.
* * *
—
As it turned out, an uncensored Google made the leadership of the country very nervous. As American intelligence agencies later learned, the leadership were Googling themselves, and the results were not always complimentary.
A secret State Department cable, written on May 18, 2009, and made public the next year in the WikiLeaks trove that Chelsea Manning had taken, reported that Li Changchun, who headed the propaganda department for the Chinese Communist Party and was a top member of the leadership, was astounded to discover that when he typed his name into a Google search bar he found “results critical of him.” Since he was the government’s leading censor, the fact that any Chinese citizen with an Internet connection could read something unpleasant about how he performed his duties was a rude awakening. From that moment, the die was cast.
Google’s problems accelerated beyond search results. Beijing officials didn’t like Google Earth, the satellite mapping software, because it showed “images of China’s military, nuclear, space, energy, and other sensitive government agency installations.” Knowing that George Bush was steadily pressing China to do more to combat terrorism, officials told the American embassy that Google Earth was a terrorist’s best tool.
Li required the three state-owned Chinese telecommunications firms to cut off Google, preventing it from reaching hundreds of millions of Chinese users. He wanted to sever the link between Google’s Chinese site, which complied with China’s censorship rules—no Tiananmen Square history, nothing on the Falun Gong—and Google’s Hong Kong and US sites, which had no censorship.
But in December 2009, Google’s top executives discovered a bigger problem: Chinese government hackers were digging deep inside the company’s systems in the United States. And the hackers weren’t just going after Google’s algorithms, or trying to help Baidu, the search firm China had created to compete with Google and that became the world’s second-biggest search engine. The hackers were looking for intelligence—everything from the activities of Chinese nationals living in the United States to the communications of key American decision-makers who used Gmail because it was hard to access federal computers from home. The hackers mapped where they worked and what their vulnerabilities were.
The malware inserted in Google’s system was encrypted and buried in corners of Google’s corporate networks where it could easily be missed. Once it was dug in, the malware created a covert communications channel, or a back door, to China to siphon out whatever information the malware scooped up.
Google wasn’t the only target. There were about thirty-five other companies hacked around the same time, though Google was clearly the top priority. This group of attacks was soon given the name “Operation Aurora” by Dmitri Alperovitch, then a young researcher at McAfee who years later would emerge as a key player in identifying the Russian intruders into the Democratic National Committee.
The targets of Operation Aurora pointed to China’s motives. Google engineers discovered that, in addition to looking for some of the source code for Google’s search engine, the hackers were trying to break into the Gmail accounts of Chinese human-rights activists as well as their supporters in the United States and Europe.
Aurora marked the first time that the Chinese were caught engineering a major hack that sought to steal information from a non-defense firm. “We never before saw a commercial company come under that level of sophisticated attack,” Alperovitch said at the time. “It’s a big change.” In fact, this was the moment that cyberwars began focusing on what civilians kept in their networks.
“That was the surprise,” one of Google’s top executives said to me later. “We weren’t producing the F-35. We weren’t making space lasers. We weren’t designing ICBMs. So it was something of a wake-up call that we were right in their gun sights.”
Google took the bold step of announcing, in early 2010, that it had been targeted in a “highly sophisticated” attack that came out of China. Google notified other companies it knew had also been targeted but many of these companies did not want to be named publicly for fear of angering the Chinese or revealing their own vulnerabilities. But Adobe, whose software was crucial for making PDFs and other office documents, and a handful of other companies were willing to take the risk and name the Chinese. The companies contended that only a government actor would have the talents to conduct such a complex intrusion.
There was little doubt that the attack on Google had been ordered by the top levels of the Communist Party. A secret State Department cable in the WikiLeaks trove alleged as much, to no one’s surprise: “A well-placed contact claims that the Chinese government coordinated the recent intrusions of Google systems. According to our contact, the closely-held operations were directed at the Politburo Standing Committee level.”
What surprised other Silicon Valley firms doing business in China was that Google suggested it would be fighting back: it would no longer obey Chinese rules about censoring search results on Google.cn, its Chinese server. Inside Google, the chairman, Eric Schmidt, knew exactly what the company’s defiance would mean. David Drummond, the company’s chief legal officer, wrote in a blog: “We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.”
That conclusion was likely the exact one that Li Changchun, the propaganda chief, wanted Google to reach. Since the Chinese had already replicated Google’s business model with Baidu, the next
step, it seemed, would be to force Google out of the market.
Schmidt told me afterward that the Aurora attacks had pretty much “ended the debate inside the company about what our future was on the mainland.” If China was willing to go to all that trouble to break into the company’s servers in the United States, it would clearly have no compunctions about demanding every bit of user data in China, and Google wasn’t willing to let that happen. By later in 2010, Google was packing up and moving out of Beijing.
There was one more twist to the Aurora story that no Google executive revealed at the time. The Chinese had cracked a Google server that contained a database of court orders delivered to Google—the orders from the United States Foreign Intelligence Surveillance Court and other judges around the country. The FBI’s counterintelligence team knew what this particular theft meant: the Chinese intelligence services were looking for evidence that their own spies in the United States had been compromised and placed under surveillance.
“Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,” one former official told Ellen Nakashima of the Washington Post. It was a brilliant move: after years in which Chinese spies were swept up in FBI investigations, Beijing had decided to get a step ahead of the investigators. The Chinese Ministry of State Security, it turned out, was penetrating American intelligence operations—via Google.
It wouldn’t be the last time.