* * *
—
Naturally, Unit 61398—formally the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department—existed almost nowhere in the Chinese organizational charts. But by 2013 it had been in the sights of American intelligence agencies for several years.
The day before Barack Obama was elected president in 2008—and the same week that the Defense Department was battling the Russians—another State Department cable voiced official concerns about how frequently the unit was breaking into US government sites. Obama himself had felt the sting: the Justice Department contacted him during his 2008 campaign to explain that the Chinese were deep inside his own campaign computers, presumably looking to understand how their complex relationship with Washington would change with the election of a young senator who had barely been on China’s radar.
“That was our early taste of this problem,” Denis McDonough, who became Obama’s chief of staff, later told me.
Everything the US government knew about the unit was still classified, owing to some strange combination of diplomatic concerns that no one would quite articulate and the fact that the United States had just launched a criminal investigation into the thefts. But in hacking investigations the government often does not have a monopoly on the evidence, since most companies not only call a private cybersecurity firm first but often hesitate to let the FBI into their computer systems for fear of what else might be exposed to federal investigators.
Which was how, by 2012, Kevin Mandia’s staff had come to be looking at an actual Chinese hacker through the hacker’s own camera. And the hackers had another vulnerability that helped Mandia home in on their identities. Because they had special Internet access in China, the hackers could bore through the Great Firewall and do what ordinary Chinese could not: check their own Facebook accounts. By watching the hackers type, Mandiant was able to track down their names.
Among the most colorful was a hacker whose screen name was UglyGorilla. He ranked among Unit 61398’s most prolific operators and turned out all kinds of malware from an IP address that was right in the Pudong neighborhood. Mandia watched UglyGorilla and his fellow workers log in and steal blueprints and identification numbers from RSA, the American company best known for making the SecurID tokens that allow employees at military contractors and intelligence agencies to access their email and corporate networks. The hackers then used the data stolen from RSA to get into Lockheed Martin.
While Mandia was keeping an eye on UglyGorilla, another hack—perhaps the most troubling and mystifying—was taking place out of his view, in Canada. The target was a subsidiary of Telvent, a company that designs software that allows oil-and-gas operators to turn their pipelines on and off remotely and to control the flow of energy supplies. Telvent held the blueprints for half the oil and gas pipelines in the Western hemisphere. In September 2012, the company had to admit to its customers that an intruder had broken into the company’s systems and taken project files.
No one could quite figure out whether this particular hack was the work of Unit 61398—which looked probable—or some other Chinese group. Nor was the motive clear. Were the hackers planning to take control of the pipelines, perhaps in time of war, and freeze out much of the United States? Or were they simply industrial thieves, looking to steal the software so that they could replicate similar pipelines in China or elsewhere? While the United States and the Canadians investigated, the findings—if any—were never made public. The mystery remains.
* * *
—
Even while the Telvent hack was under way, the Chinese government was preparing another, far more sophisticated covert operation in Washington. It would ultimately yield them a map of how the US government operates, populated with the most intimate details of the lives of 22 million Americans—almost 7 percent of the country’s population.
The data were extracted from a rather boring corner of the US government, the Office of Personnel Management—a vast bureaucracy that acts as the record-keeper for the millions of people who have worked, currently work, or have applied to work for the US government, whether as employees or as contractors.
As the Obama administration turned, belatedly, to locking down the US government’s cyber infrastructure after the Manning and Snowden information thefts, OPM was not exactly high on its priority list. “The first focus was on the big national security apparatus,” Michael Daniel, Obama’s cyber coordinator, recalled later. “Defense. The intelligence agencies. People didn’t think much about OPM.”
But the Chinese did. They carefully surveyed the federal government’s networks and quickly figured out that buried in the aging computer systems at OPM was a huge repository of the least protected highly sensitive data collected by the US government. OPM was responsible for gathering the information needed to perform background checks on almost anyone who needed a “secret” or “top secret” security clearance. Five million Americans held those clearances in 2014, when China cracked the repository wide open.
To obtain a security clearance from the US government, prospective federal employees and contractors have to fill out an exhaustive 127-page form—Standard Form 86—in which they list every personal detail about their lives. Every bank account, every medical condition, every illegal drug they used in college. They must detail information about their spouses, their kids, their ex-spouses, and their affairs. They even have to name every foreigner they have come into close and continuing contact with for the past decade or so.
The data provided in the SF-86—and the reports of the investigators who subsequently use that information to conduct background checks—constitute a treasure trove for any foreign spy agency. Here, in one place, resides an encyclopedia of the American national-security elite: Not just names and Social Security numbers, but information about where people work, where they have been posted around the world, and whether they are so deeply in debt that they may be easy marks for recruitment. The personal histories offer a wealth of potential blackmail information, as well as clues about how to impersonate a family member or friend online.
The Chinese security services possessed a far better understanding of this vulnerability than did most members of Congress or the administration. With just a bit of exploration, the Chinese hacking team discovered that the data were being kept at the Department of the Interior—completely unencrypted—because it had spare digital storage space. That meant the records were stored in the same systems used by the national parks for tracking buffalo migration, or managing fishing stocks on federal lands.
This was the least of the problems with OPM’s information-security infrastructure. The agency’s IT security environment was appallingly inadequate, as the OPM’s inspector general—the department’s independent watchdog—had documented in a series of reports dating back to 2005. The system itself was outdated, but management made it even worse—they failed to follow nationwide government policy on security protocols, neglected to maintain their systems properly, and ignored advice on best practices. By November 2014, the problems were so acute that, in a scheduled audit, the inspector general recommended shutting down parts of the system because the holes were so big that they “could potentially have national-security implications.” (And they already had; OPM just didn’t know it yet.)
But shutting down the system was not an option: there was a backlog of tens of thousands of security-clearance applications. Agencies across the US government—from the Pentagon to the Drug Enforcement Agency—were clamoring to get their people cleared and pensions paid. The inspector general’s shutdown recommendation was roundly rejected by Katherine Archuleta, OPM’s overwhelmed director.
From the start, Archuleta and her staff were clueless about what was happening in their networks. The agency’s computers had no warning system to send an alert that a foreign intruder was lurking in the system, or had begun to siphon data out of it at night. The best gue
ss of the investigators, who later spent over a year trying to piece together a timeline of the hack—stymied not only by the limits of technology but also by a recalcitrant OPM bureaucracy—was that the hackers most likely cracked OPM’s systems repeatedly in late 2013.
The Chinese got caught once and expelled, in the spring of 2014, when they got “too close to getting access” to the systems that held private personal information, a congressional investigation later discovered. But even that discovery did not lead to a crash effort to seal the system. And the Chinese now had what they needed most: a map of OPM’s networks and credentials stolen from one of the agency’s external contractors.
Soon the hackers were back. They logged in with the contractor’s stolen passwords and dropped malware into the system to open up backdoor access. For about a year they operated undetected in the network and systematically exfiltrated the SF-86 forms and the written reports on background investigations. At some point during the summer of 2014, the SF-86 forms for 21.5 million people were copied from OPM’s network. By December, 4.2 million personnel files—covering 4 million current and former federal employees, with their Social Security numbers, their medical histories, and their marital status—had been stolen. And by March 2015, 5.6 million fingerprints had been copied and spirited away. OPM itself never noticed how much data were flowing from its systems, possibly because the Chinese politely encrypted the data on the way out the door, a step that OPM itself hadn’t taken to protect the mountain of sensitive information it held.
It wasn’t until April 2015, when a private computer-security contractor working for OPM flagged an error on a domain name—in this case “opmsecurity.org”—that the agency’s cyber team began to investigate in earnest. The domain had been operating for about a year, but no one at OPM had created it. Worse, it was registered to “Steve Rogers”—a fictional character better known for his exploits as the superhero Captain America, one of the Avengers. A second website, discovered shortly afterward, was registered to his comrade Tony Stark. Connoisseurs of hacking techniques immediately observed that a Chinese military group had, in the past, left similar odes to the Avengers.
Fifty days of radio silence followed as OPM scrambled to understand what had happened. Even other parts of the Obama administration couldn’t get straight answers. The Office of Management and Budget, one senior official recalled, received conflicting information about how big the breach was. “I don’t think they were lying to us,” one of their senior officials said. “I think they didn’t know how many computers they had, much less who was on them.” The security company Cylance helped sort through the wreckage; a technician working on the case wrote a pithy email to the company’s chief executive: “They are fucked btw.”
That was a decent summation. But the damage wasn’t limited to the employees whose data were retained by OPM. While the intelligence agencies knew better than to keep the records of their operatives on the OPM system—partly because they didn’t trust it—the top two officials at the CIA, director John Brennan and the deputy director, David Cohen, quickly came to the conclusion that scores of their operatives abroad were now vulnerable. Many were posted to China under “official cover,” meaning they were posing as diplomats. To make that cover convincing, they had a State Department history and a file—but sometimes with career gaps or other clues the Chinese might pick up on.
It became apparent at the CIA and other intelligence agencies that the problem was even more complex. In an age of big-data techniques, the database was far more valuable than its millions of individual files. It allowed the Chinese to compare the OPM files to their own intelligence resources and even to Facebook profiles and the digital dust that diplomats and spies left in their past postings. It was easier than ever before to unmask CIA operatives. And the problem was not limited to existing officers: those still in training, or awaiting assignments, could also be identified. Soon dozens of postings to China were canceled. As Robert Knake, a former director of cybersecurity policy issues in the Obama White House told me, “a whole bunch of CIA case officers” could be “spending the rest of their careers riding desks.”
The OPM hack offered a glimpse of the future, of what happens when old-fashioned espionage meets the new world of data crunching. Investigators looked at the hack of Anthem, a health-care company, in a new light; while the OPM hack was still under way, Chinese hackers, also suspected of working for the government, had been caught after stealing upward of 78 million records. The hack raised the possibility that all of these databases were being combined to provide a deeper picture of Americans.
Adm. Michael Rogers, the NSA chief, hinted at this issue when he observed that just a decade before the OPM hack, stealing 22 million records would be of little value; whatever country got them would be overwhelmed by so much information. At a talk one evening in Aspen, Colorado, soon after the disclosures in 2015, he alluded to the larger issue, gently: “From an intelligence perspective, it gives you great insight to potentially use for counterintelligence purposes….If I’m interested in trying to identify US persons who may be in my country—and I am trying to figure out why they are there: Are they just tourists? Are they there for some other alternative purpose? There are interesting insights from the data you take from OPM.”
This was entirely new territory for the intelligence community—and terrifying in its scope. As word of the size of the OPM loss began to leak out, Archuleta issued ridiculous-sounding assurances, such as “Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM.” History suggested otherwise. She repeatedly rejected demands from Capitol Hill that she resign. The White House declared its support for her, but she was gone by mid-July.
But, at least in public, the administration never leveled with the 22 million Americans whose data were lost—except by accident. Federal employees were sent letters telling them some of their information might have been compromised, and they were offered several years of free credit-monitoring—as if the information had been stolen by criminals. (It has never shown up on the black market, another sign the theft was an intelligence operation.) The White House refused to blame Beijing. Fortunately James Clapper, the director of national intelligence, slipped in one public interview and offered his grudging respect for tradecraft. “You have to kind of salute the Chinese for what they did,” he blurted out. (He later tried to walk that comment back.)
Appearing in Congress a few weeks later, Clapper insisted that the whole incident was espionage, pure and simple, and therefore did not constitute an “attack.” Over a two-hour hearing, members of Congress got angrier and angrier: it looked like an attack to their constituents, they said.
Clapper pushed back, in one of those rare moments when it became clear that the United States had no intention of agreeing to rules for behavior in cyberspace that could impede our own intelligence agencies. Having previously declared, “If we had the opportunity to do the same thing, we’d probably do it,” Clapper now told the assembled senators: “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks….”
“So, it’s okay for them to steal our secrets, that are most important,” Sen. John McCain shot back, “because we live in a glass house. That is astounding.”
“I didn’t say it’s a good thing,” Clapper replied. “I’m just saying both nations engage in this.”
* * *
—
Mandiant and the New York Times finally published their reports on Unit 61398 in 2013, as the OPM hack was unfolding. Reading the news, David Hickton, the US attorney for the Western District of Pennsylvania, thought the biggest case his office ever handled had just been blown up.
A big, tough-talking prosecutor, Hickton was a fixture in Pittsburgh: in the mornings you could usually find him at Pamela’s, a pancake place in the gritty Cemetery Hill section of town. As he read the art
icle, with its details about UglyGorilla and his fellow hackers, “I thought, this is the end of it—we’ll never catch the Chinese by surprise now.”
Hickton was then in the center of a grand experiment to determine whether criminal charges could be brought against foreign governmental officials—in this case Chinese military officers—for hacking into companies in the United States. It was a case that made a lot of American officials nervous, not least at the NSA. If the United States could indict Chinese hackers for stealing intellectual property, what was to stop the Chinese from indicting members of the NSA’s Tailored Access Operations unit for going inside Huawei? Or the Iranians from indicting Americans for blowing up centrifuges at Natanz?
Hickton was largely uninterested in these arguments: Political to his core, he knew what needed to be done for Pittsburgh. The city had been at the center of a number of the Chinese efforts to grab American expertise, and it was time to hit back.
There was no shortage of victims for Hickton to select from. Westinghouse, a nuclear power company headquartered in the greater Pittsburgh metropolitan area, had discovered that, while it was in the midst of building four cutting-edge nuclear power plants in China in 2010, some of its proprietary data had been stolen, including designs for the reactors. The thefts would enable Chinese competitors to acquire the same technology without spending hundreds of millions of dollars on research and development. Then, for good measure, the hackers grabbed nearly 700,000 pages of company emails, presumably looking for a glimpse of the Westinghouse leadership’s negotiating strategy with a big, state-owned Chinese firm.
There were other victims: U.S. Steel, one of the few survivors from the old days in Pittsburgh, found malware on its systems while it was engaged in some unfair-trade-practices cases against Chinese steelmakers. The Chinese even stole emails from the United Steelworkers, the reeling union, about its strategies to pursue trade complaints against Chinese manufacturers.
The Perfect Weapon Page 14