The Rest Is Classified – Episode 88
"China vs Google: When Beijing Took on Silicon Valley (Ep 1)"
Date: October 5, 2025
Hosts: David McCloskey, Gordon Corera
Episode Overview
This episode initiates a multi-part investigation into the watershed moment when Google discovered it was the target of a sophisticated state-sponsored cyber espionage operation attributed to China—commonly known as Operation Aurora. David McCloskey, a former CIA analyst, and Gordon Corera, veteran security correspondent, contextualize this event as the origin story of companies versus nation-states in the digital world, exploring how a tech giant like Google became embroiled in international espionage, geopolitics, and the ongoing struggle for control of information in the 21st century.
Key Discussion Points & Insights
1. Setting the Scene: China and the Internet (04:08–09:38)
- China's evolving approach to the Internet:
- Pre-Xi Jinping China was relatively more open but increasingly nervous about the destabilizing potential of global connectivity.
- The 1989 Tiananmen Square crackdown fostered paranoia within Chinese leadership about the subversive risks posed by open information and Western technologies.
- Technological anxieties:
- Anecdote of Microsoft’s anti-piracy measure (black screens across government departments) highlighting Chinese fears of dependence on Western tech:
“A Western company just effectively showed that they have the ability to turn us off. You can see why that's pretty scary.” — Gordon Corera (08:11)
- Anecdote of Microsoft’s anti-piracy measure (black screens across government departments) highlighting Chinese fears of dependence on Western tech:
- The rise of the Great Firewall:
- The Chinese government began constructing digital border controls with technical assistance from Western firms to stifle dissent and perceived Western subversion.
- Motivations for state control:
- China's intelligence posture is “first and foremost about domestic stability,” with cyber strategy driven by the imperative to prevent internal unrest. (09:00–09:33)
2. Companies, Censorship, and the Chinese Market (09:39–14:38)
- Foreign companies’ dilemma:
- Western firms made substantial compromises to access the enormous Chinese market.
- Social networks were largely excluded, but Google entered China in 2005 after internal debate, launching Google.cn—a censored, localized search engine.
- The ‘Don’t Be Evil’ tension:
- Google’s mission (“to organize the world’s information and make it universally accessible and useful”) vs. complying with Chinese censorship:
“Seems like that tension would be far greater for a search company...than if literally your company's sort of whole purpose is to provide open information.” — Host (12:38)
- Sergey Brin’s Soviet upbringing influenced a more cautious stance on engagement with authoritarian regimes.
- Google’s mission (“to organize the world’s information and make it universally accessible and useful”) vs. complying with Chinese censorship:
3. Rising Tensions Preceding the Attack (14:39–15:16)
- Censorship escalates:
- After the 2008 Beijing Olympics, requests to censor politically sensitive topics and negative press about officials increase—censorship is not temporary.
- A Politburo member’s outrage at seeing critical search results about himself demonstrates the regime’s sensitivity.
4. Discovery of the Hack – The Googleplex Incident (15:15–20:18)
- December 14, 2009:
- Security lead Heather Adkins and her team at Google notice a highly sophisticated breach—initially attributed to mischievous interns but quickly recognized as a serious external attack with unprecedented tradecraft.
- The breach was extensive:
“The bad guys have got everywhere. It's a massive breach of the corporate system. Basically, the hackers are in...They've got no playbook for how to deal with it.” — Gordon Corera (19:58)
5. The Immediate Response: Going Analog (21:55–24:37)
- Physical forensics:
- Security staff manually remove and quarantine hard drives late at night to prevent further data compromise.
- A “war room” is established, isolated from company systems, and even founders like Sergey Brin take personal interest in the counter-espionage operation.
6. Technical Details: How the Attack Worked (24:37–26:39)
- The vector:
- Hackers exploited a zero-day vulnerability in Internet Explorer used by a Google China employee (everyone else was on Chrome).
- Attackers used social engineering (an instant message via a trusted contact) to deliver the exploit:
“...the crucial thing is that it's not an out of the blue email...but it's someone who you're regularly chatting with. So you're exploiting that trust.” — Gordon Corera (25:22)
- Sophistication and attribution:
- Zero-days are expensive, hinting at state-level resources; the use of advanced, stealthy malware (trojan) enabled remote, undetectable control.
7. Escalation: Internal and External Response (27:15–29:35)
- Internal experts worldwide are mobilized; external firms and cyber experts like Dmitri Alperovitch of McAfee are brought in.
- The operation is termed “Aurora” (after a code found in the malware).
- Google brings in Ron Deibert’s Citizen Lab, typically focused on protecting activists, raising ethical questions:
“Whose job is it to protect Google?...especially when you're being hacked by a very sophisticated adversary which might be a nation state.” — Gordon Corera (28:31)
8. Cyber Attribution: Linking to China (30:18–35:45)
- Espionage target focus:
- Attackers searched for Gmail access methods and source code (like Gaia, Google’s password system), aiming for persistent, stealthy future access.
- Targets included US-, China-, and Europe-based human rights activists, notably those like artist Ai Weiwei and Tibetan student activists.
- Technical and contextual attribution:
- Some indicators linked activity to specific Chinese technical universities.
- Broader intelligence interests:
- Hackers also probed legal discovery tools inside Google, likely seeking information on FBI or FISA requests—potentially searching for Chinese intelligence assets under American surveillance:
“If you've got some agents in the us, you can suddenly see whether they are under surveillance by the FBI because you can see where the FBI has asked for a warrant on them.” — Gordon Corera (37:38)
- Hackers also probed legal discovery tools inside Google, likely seeking information on FBI or FISA requests—potentially searching for Chinese intelligence assets under American surveillance:
9. Scope of the Operation: Not Just Google (37:38–38:48)
- At least 20 companies, including Microsoft and Adobe, were targeted as part of Operation Aurora.
- Google only detected the breach because of superior internal monitoring.
Notable Quotes & Memorable Moments
- On the geopolitics of internet control:
“So they're going to do their best to stop that happening.” — Gordon Corera (05:36)
- On the vulnerabilities of Western enterprises in China:
“A Western company just effectively showed that they have the ability to turn us off. You can see why that's pretty scary.” — Gordon Corera (08:11)
- Google’s internal conflict:
“Don't be evil, which I thought was the CIA's motto.” — Gordon Corera, joking (11:02)
- On discovery of the hack:
“At first they say, we've caught the interns doing naughty stuff. That's the first reaction, which is everyone's first reaction.” — Guest/Expert (18:54)
- On the hackers’ capabilities:
“The bad guys have got everywhere...They basically have never seen anything like this in Google and they've got no playbook for how to deal with it.” — Gordon Corera (19:58)
- On the limits of cyber defense:
“Part of the structural problem though is that in the cyberspace you can't be perfect, right? You cannot be perfect on your defense. And when you have a really well capitalized, organized adversary, if they really want to find a way in, like they're probably going to.” — Host (29:35)
- On the cyber-espionage game:
“They are living inside Google's network. So if you send messages around Google's network...they can see it.” — Gordon Corera (31:05)
Key Timestamps
- 00:25–01:09: Introduction to Google's public disclosure of the hack
- 04:08–09:38: Setting context: China’s view of the internet and emergence of the Great Firewall
- 09:39–14:38: Western tech companies’ struggle with Chinese censorship and market access
- 15:15–20:18: How Google discovered the hack; initial internal confusion and eventual escalation
- 21:55–24:37: Security team’s analog response—pulling hard drives, establishing a war room
- 24:37–26:39: Technical breakdown: phishing, zero-day exploits, trojans
- 27:15–29:35: Expanding the investigation; Ron Deibert’s Citizen Lab contacted; “whose job is it to protect Google?”
- 30:18–35:45: Attribution: advanced tradecraft points to China, focus on human rights dissidents
- 37:38–38:48: Other companies targeted; Google was last to discover
Tone and Style Observations
- Conversational, with dry humor and ad-libbed asides (joking about the podcast being founded in a garage, CIAs unofficial motto).
- Technically informative, translating complex cybersecurity and intelligence issues into vivid, accessible storytelling.
- Emphasizes the human element—placing listeners inside both the surreal world of Silicon Valley and the paranoia of Chinese authoritarianism.
What’s Next
The episode ends on a cliffhanger:
What will Google do now that it knows the Chinese state has deeply penetrated its systems? How do they respond when the attacker isn’t a criminal but a superpower?
“Maybe there, Gordon, it's a good spot to end. And when we come back we will answer that question and see exactly how Google takes it to the Chinese state.” — Host (38:48)
For Declassified Club members: An in-depth interview with Kent Walker, Alphabet’s President of Global Affairs, on this very episode’s themes.
Missed Episode 1? This summary provides all you need to follow the unfolding story of how big tech and nation-states collided—and why it changed the cybersecurity world forever.