Loading summary
Kevin Mandia
I think it's the greatest transfer of wealth in history.
Jim Lewis
So they call it advanced persistent threat.
Nicole Perleroth
That time period was the most dangerous in America's history. Here, danger and the greatest wealth transfer in history. And your mind goes to heist of the old school variety. Masked thieves making off with diamonds or bags of cash. But this, this was burglary on a global scale.
Kevin Mandia
You know they're there, you see these terrible little scraps of. Yeah, they looked at this one file but you know, they looked at 10,000 files and the evidence is only giving you the one and you're like, oh my God, I'm getting less than 1% visibility into what they're doing here. And that's how that feels.
Steve Stone
And it was very apparent that the business had just been stolen. The entire business was stolen. There's nothing we were going to do on the incident response side, like it's over, it's a wash. As long as.
Dmitri Alperovich
They keep stealing, they can't innovate. And I was like, what are you smoking?
Nicole Perleroth
For two decades now, trillions of dollars worth of American R and D trade secrets, intellectual property have crept out the back door. And when you peel the mask off the thieves, it's the same culprit every single time. China's multi pronged assault on our national.
Jim Lewis
And economic security make it the defining.
Dmitri Alperovich
Threat of our generation.
Nicole Perleroth
Our adversarial focus has long been on our Russian comrades across the Atlantic. But in the meantime, a more insidious rivalry has quietly taken shape on the far side of the Pacific. Russia is much like a hurricane. They're aggressive and come at us hard and fast. But China is climate change, right? They're long term, large scale and ever present. America has been losing its crown jewels, its intellectual property to China. Chinese hackers made off with the blueprints to our passenger planes, our prized fighter jets, our turbines, the secrets behind our genetically modified seeds, even the formula for the White House paint. They're long gone. Americans have barely begun to reckon with all that was lost. But these days, China doesn't just want our trade secrets, they want influence. And they're pursuing it in the most disturbing of ways. By hacking our critical infrastructure. They said publicly that the reason for.
Dmitri Alperovich
These hacks was in order to disable.
Heather Adkins
Our critical infrastructure is that these were.
Nicole Perleroth
Essentially pre operational activities.
Jim Lewis
You don't hack infrastructure for fun, right? It's reconnaissance, it's target reconnaissance for the event of a conflict between the United States and China.
Nicole Perleroth
So I take it your answer would.
Dmitri Alperovich
Be that the Chinese have become more aggressive and in a sense expansionist in their use of spying and hacking.
Jim Lewis
Yes.
Nicole Perleroth
I'm Nicole Perlerath and this is To Catch a Thief. I've spent the past 15 years swimming in cyber threats. For a decade, I was the New York Times lead cybersecurity reporter. I wrote a book, this Is How They Tell Me the World Ends, Investigating the ins and outs of the cyber arms market. And now I travel the world educating people about the very real potential for a cataclysmic cyber attack. It's a threat that for whatever reason has never quite reached the American mainstream. Despite my best efforts, most Chinese cyber attacks were still understood as one offs rather than the carefully laid pieces of a longer master plan.
Heather Adkins
Google traced the sabotage back to China and says the break ins were part of a pattern of cyber attacks on.
Nicole Perleroth
Human rights activists who criticized China. The New York Times reporting on a cyber attack on its own computers.
Paul Moser
Meantime, new concerns this morning about computer security.
Nicole Perleroth
After more than 70 corporations and government organizations worldwide were targeted this week by a cyber spy ring. It wasn't until a decidedly analog espionage threat hit the nightly news that Americans started to pay attention.
Paul Moser
I'm sure a lot of you were.
Nicole Perleroth
Following along with that now viral Chinese weather balloon that US Officials shot down over the weekend. I mean, this balloon has been a talk of the country since then. Welcome back. We're now the latest on the suspected.
Paul Moser
Chinese spy balloon shot down by a.
Nicole Perleroth
US Fighter jet off the Carolina coast. The Pentagon now confirming four previous Chinese balloon flights over the sensitive sites in the US this is all part of a global surveillance operation by Beijing. The giant Chinese balloon that had been floating across parts of the United States has been shot down by an American fighter jet off the coast of South Carolina. The balloon which the US Says was being used to spy on military sites appeared to plummet into the sea. While China continues to insist that it was in fact a stray civilian weather observation airship. But if there were spy balloons floating over every military installation, company, university, law firm or research lab that has been breached by China, the sky would be a sea of white. A note here before we go any further. You'll hear me and others refer to Chinese hackers or being hacked by the Chinese. Something crucial to understand is that what you're about to hear has nothing to do with the Chinese people. It has everything to do with the calculated efforts and strategic plans of China's leaders in the Chinese Communist Party, the CCP efforts that have been playing out below our radar for a long, long time. Looking back, I had no idea what I had gotten myself into it was 2010. The New York Times had hired me to cover cybersecurity. Not only did I not know anything about cybersecurity at the time, I had gone out of my way to not know anything about cybersecurity. It was technical and a little terrifying. And as I dug in, it became clear that even the word cybersecurity was a misnomer. There was no cybersecurity. Hackers were breaking into companies left and right, doing whatever they could to get the goods and whatever they could to stay there undetected. In talking to expertsgovernment officials, security researchers, hackers themselves, one refrain kept coming. The two companies refrain.
Kevin Mandia
There are two kinds of big companies in the United States. Those who've been hacked by the Chinese and those who don't yet know they've been hacked by the Chinese.
Nicole Perleroth
You might recognize that voice. That was former FBI director James Comey. He's regurgitating a phrase I've heard so many times, it's easy to forget who first said it. I want to get the words out of your mouth. There is a phrase in our industry that has been plagiarized to death, and I believe I have traced the origin to you.
Dmitri Alperovich
There are only two types of companies. Those that know that they've been hacked and those that don't yet know. And this is a phrase that I actually got a lot of criticism for when I first announced it in 2011 because I was seeing all these hacks that were taking place and people thought that was exaggerating, that this was overhyping a thing.
Nicole Perleroth
That's Dmitri alperevich. Back in 2011, Dmitri ran threat research at McAfee, the antivirus shop. The Chinese cyber attacks he witnessed there compelled him to leave and co found CrowdStrike with George Kurtz. He'd later write a book world on the how America can beat China in the race for the 21st century. Suffice to say, you'll be hearing plenty from him. As I started covering these hacks, it became abundantly clear that Demetri's two companies refrain was not overhyping. Not even a little bit.
Dmitri Alperovich
Maybe if I can step back. The pivotal moment really was when I I get a call from this little company called Google. Heather Atkins. That still is their Google run security team.
Nicole Perleroth
It's late 2009. Google is hurtling towards its prime. For Heather Adkins, the director of Google's information security team, it started out as just another Monday.
Paul Moser
It was kind of the end of the day, the end of my working day, and I'd come back to my desk, and there were a bunch of engineers standing around a desk and. And said, hayley, look what we found. We did actually think what we were seeing, you know, was an intern just with bad business practice, you know. Once we'd spent a few hours taking a look at it, it was pretty obvious that what we were looking at was very different.
Nicole Perleroth
Heather and her team realized that this was no intern. But whoever it was, they were taking over real employee accounts. In that initial fog of war, Heather and her team couldn't rule out the possibility that whoever this was might be getting insider help.
Paul Moser
I would say we did every investigative method you could think of, from forensics to interviews. If a person's machine or an account was used by the threat actor, we interviewed them. We did everything. So, yes, we would have talked to interns, Googlers of all kinds, all of the systems administrators, whose accounts, the SREs, we call them, whose accounts were taken over and abused by the threat actor. We talked to them. I think I even made two people change their username on the systems just so that we could delineate between good guy, bad guy kind of thing. I would say we deployed all creative resources. After the first 12 to 24 hours, it was pretty clear that we were dealing with a scale that was going to quickly overwhelm our small team who knew how to do this work. So very quickly. We knew we just. We needed to call in people who were doing this on a regular basis.
Nicole Perleroth
Google called in cybersecurity's equivalent of the Wolf from Pulp Fiction, the Harvey Keitel character in the suit, the one who gets called in when things are spinning out of control and you need a real professional to mop up the message.
Paul Moser
Now you got a corpse in a car, minus a head in a garage. Take me to it.
Nicole Perleroth
When it comes to digital messes, the Wolf is Kevin Mandia, founder of Mandiant. Mandiant's the 1, 800. Oh, shit. Call the guy in the suit. You call when your breach gets out of hand. And it wasn't just Google who was calling. Here's the Wolf himself.
Kevin Mandia
You know, I didn't intend to be the Wolf when starting Mandiant or even prior in my career. Nicole. I just thought it was materially important to any security company that you need to have a firsthand view of what attackers are doing. You have an adversary that's trying to evade everything you do. In the cyber domain, the most important position to have is kind of own that moment, as you called it, the oh, shit moment. It was like November, December 2009, a whole bunch of companies got compromised. And the one thing about Google is they had an army of people swarming to respond. So I did go out to California. I remember being somewhere in Googleplex. But more in reality, I noticed the cool bikes and the food.
Nicole Perleroth
When they made the call, the Googlers only had one rule.
Paul Moser
Don't wear suits. Don't open suits. Right. If you at the time had shown up at Google and a search suit, people would have thought like the FBI was here and hanging out with the security team. That's probably not a good sign. And sure enough, they did come in suits and had to buy clothes for the rest of the engagement on site. But I think, you know, I have a really clear memory of that day when they came because we gathered, you know, a handful of us in a conference room and we briefed them on what we had seen. And, you know, it was immediate. They were like, yes, we know exactly what this is. I don't know that we've ever seen this particular threat actor before, but this looks just like Chinese apt.
Nicole Perleroth
Advanced Persistent Threat. That's government shorthand for state sponsored hackers. In those early days, the vast majority of these groups originated from one country. APT became a politically expedient way to say China. But back to Kevin, you know, it.
Kevin Mandia
Was a lot of the companies that were dealing with similar intrusion sets. You know, when we were responding to Google, we had been responding to that exact group for seven years already. It wasn't like we went, well, this is new to us. It was new to Google.
Paul Moser
I think, I think that moment, it was nice to have experienced adults in the room. It felt like we had a really solid partner. So I've forgiven them for wearing suits.
Nicole Perleroth
At the same time Google caught Chinese hackers in its systems, cybersecurity experts elsewhere were responding to breaches that were unprecedented in aggression.
Steve Stone
We saw a particular hospital just out of nowhere. It's like somebody flicked a switch. We saw one hospital just get compromised by multiple Chinese groups, military, private hackers, and all skill levels. Like it was all of a sudden like if you watch the John Wick movies, like when they say, okay, this person's now on the list. It looked just like that task.
Dmitri Alperovich
How many?
Jim Lewis
How many do you have?
Steve Stone
And all these groups showed up and it didn't make sense to us.
Nicole Perleroth
That's Steve Stone. Steve has tracked cyber threats in government and private industry for more than 15 years. He's seen it all. But it was the offensive against this one hospital that stuck with him. This wasn't just the A team. It was an absolute ambush. Every single Chinese apt he was tracking simultaneously went full force against this one hospital.
Steve Stone
And we thought, well maybe there's some cutting edge research, maybe there's some. Because healthcare is a huge issue for the Chinese government. It was like, hey, we're going to pay whoever gets it.
Nicole Perleroth
So just what was it that they were after? Why was nearly every single Chinese hacking group coming for this one hospital?
Steve Stone
And what we ended up finding out was the Dalai Lama was being treated there. So we think it wasn't what we thought it was initially like, yeah, they're trying to find the new cancer or whatever. We think it was just is the Dalai Lama sick? And if he's sick we want to know and everybody go figure it out.
Nicole Perleroth
The Chinese Communist Party or CCP was willing to deploy the full weight of its hacking apparatus just to spy on the Dalai Lama. Likewise, what Google was witnessing in late 2009 was just how far the CCP was willing to go to track the Chinese diaspora overseas. By tracking hackers movements, Googlers in concert with Mandiant were able to piece together their motives.
Paul Moser
As we dug in it became clear actually that we think it was the whole attack was about long term access to Gmail accounts.
Nicole Perleroth
The Chinese were after the email accounts of Chinese activists and dissidents. They wanted to know who was talking to whom and what they were saying.
Jim Lewis
The Chinese leadership is really paranoid. You know my old joke is that we're actually target number two for the Chinese. Target number one is their own people.
Nicole Perleroth
That's Jim Lewis. Today he's a senior vice president at the center for Strategic and International Studies in Washington where he specializes in China and tech policy. But his career has spanned backchannel negotiations between the US and China for years. Any dislocation, discussions between the two on cyber espionage, chances are he's had a hand in them. As for that paranoia Jim is talking about, China has long been consumed by its so called five poisons. The whole concept of the five poisons grew out of ancient Chinese medicine. They were snakes, centipedes, scorpions, frogs and spiders. In modern China, the Communist Communist Party has its own version of the five Poisons. It's the five groups the party perceives as existential threats to its control.
Jim Lewis
Well, it's the Uyghurs, it's Tibetans, everyone knows that. With the Dalai Lama it's Falun Gong. The Chinese had a dreadful shock with Falun Gong some years before all this, where there were Falun Gong protests in Beijing and and the government didn't know they were going to happen. So then you had a lot of old ladies doing Tai Chi in the middle of, in front of the Forbidden City. Why that was frightening is another question. But the fact that Falun Gong was able to sneak up on them was one of the things that set off this massive investment in domestic surveillance, the democracy movement, which is pretty squashed. She's done a good job of squashing it. And then finally, Taiwanese independence. So the things that the Chinese see as a threat. Notice we're not on that list. I mean, we'd probably, we could. If you had six poisons, maybe we'd make it. But it's the concern with the continuity of party leadership, of unchallenged party rule that drives a lot of Chinese activity.
Nicole Perleroth
The Uyghurs, the Tibetans, the Falun Gong, the pro democracy movement, and the Taiwanese. But it's that first group, the Muslim minority known as Uyghurs, that's been subjected to surveillance. So over the top, it's been likened to a virtual prison.
Heather Adkins
So if you go to Xinjiang, there's these little kind of oasis cities all around the desert. And so these cities almost feel timeless. They're these sort of old mud brick cities. Usually what started to happen about seven or eight years ago is a huge amount of cameras started appearing on the walls there. And along with that came a lot of police checkpoints. And so when we were out there reporting in, you know, 2018, 2019, you basically got the sense of kind of a society utterly suffocated by kind of overwhelming both technological and kind of, you know, good old fashioned shoe leather surveillance.
Nicole Perleroth
That was Paul Moser. Paul spent more than a decade inside China covering their expanding surveillance state for the New York Times. In June of 2009, just a few months before Chinese hackers broke into Google, there was one episode that kicked the party's paranoia into high the Shao Guan incident.
Heather Adkins
Basically, there's a small factory in southern China and a rumor goes around the factory that two Uyghur workers there raped a Han Chinese woman. And so the Han Chinese workers confront the Uyghur workers. A fight breaks out, and I believe two Uyghur workers end up getting, getting killed, beaten to death in what is effectively a factory riot. And this is the early days of, of YouTube and viral social media. None of it was blocked in China. And so it goes viral in China and it spreads all over Xinjiang. And in Xinjiang, you know, what is effectively a kind of, you know, ethnic tinderbox, because there are all these tensions. It triggers this massive ethnic riot in which thousands of Uighurs take to the streets in numerous cities. Some are armed with knives, some are armed with poles, and they murder at least 200 Han Chinese.
Nicole Perleroth
The party mobilized the military to Xinjiang. They cut off Internet access and they blocked phone calls to the outside. But that was just the beginning. Over the next decade, the CCP turned Xinjiang into a dystopian surveillance lab.
Heather Adkins
And so if you walk down a street, you know, say one block, you'd probably pass 20, 30 cameras. And, you know, some of these are sort of your old fashioned dumb cameras, but some are new cameras with Nvidia chips in them. These kind of huge VCR television sized kind of contraptions. And they're hanging from poles, they're hanging from trees, they're on traffic lights, and oftentimes they're aimed right at your face. And, you know what's happening on the backside is that they're running facial recognition algorithms to try to kind of identify who you are and sort of track where you're going. But that's just one layer. So then the second layer is the human checkpoint. So maybe every couple hundred yards, you would run into a human checkpoint, usually staffed by police. And what the police would do is they would scan local people's identification cards. And so even if the face scanning doesn't work, the identification card will allow the police to mark this person with this identification number past this checkpoint at this time. And so what you start to imagine is kind of a map of the comings and goings of every single person in this city at all times. And what they do with this is they use it to kind of start building invisible interior barriers within the city. So, you know, if you are somebody that they don't necessarily trust, maybe you're not allowed to leave your neighborhood. So when you get out of, say, a square kilometer of your house, you might hit a police checkpoint. And there's, you know, when they scan your id, an alarm might go off and it might say, actually, this person is at their barrier. They can't go any further.
Nicole Perleroth
So a virtual cage.
Heather Adkins
A virtual cage. What was really sad to see was that, you know, it was utterly targeted on the Uyghur ethnic minority. So you would see Han Chinese get out of their cars and just walk right past these checkpoints, and nobody would stop them. But then for the ethnic minority for whom this is their homeland, it applies. And so they have to stop every single time.
Nicole Perleroth
That level of surveillance didn't stop in Xinjiang over the Next several years, it began to creep into larger China and beyond.
Heather Adkins
By 2017, they were appearing absolutely everywhere. They almost like looked like baroque sculptures mocking surveillance. In some ways, you'd have like three cameras hanging from a pole with another pole sticking off and two more cameras and then a camera next to that. I mean, it was just totally remarkable. And so I endeavored just to kind of get a sense of how absurd this was, to track how many cameras I passed on my commute to work, which is about, I think two subway stops in Shanghai took about 15 minutes. And during that time I counted 250 cameras. I tried to do it the first time without a counter, and I'd lost track. So I actually had to download a little app that was a counter just to do it as I go. And I mean, there are big cameras on the escalators. There's tiny little hidden lenses inside each subway car. Just everywhere you can think of are cameras. And you just. All of that data is being collected and being processed. And so it was a really remarkable thing. But for a lot of people, you know, it sort of didn't register. You know, they just kind of ignored it and kept going. But it was, you know, the one thing that, you know, the physical infrastructure of China, you know, fundamentally changed.
Jim Lewis
If it works at home, why not do it overseas? It's a little harder because, you know, in China, they own the networks. They can put cameras up, they have everybody's birth certificate, but they're doing their best to wire the world for Chinese surveillance.
Nicole Perleroth
That was Jim Lewis again, what Google was now witnessing. Hackers inside its systems. That was the first glimpse that China was exporting its surveillance overseas.
Paul Moser
Governments are going and trying to hijack your accounts. They have very front door kinds of ways they can ask for that information. But here was a government clearly not going through the front door, clearly trying to find a workaround using hacking techniques. And that really did change everything for us.
Nicole Perleroth
That front door Heather's talking about. Well, governments, including our own, routinely go to email providers and phone companies with secret court orders demanding access to customers they suspect of engaging in crime or terror threats. Years later, we'd find out Chinese hackers snuck in that front door too. But we'll come back to that. One thing to know is that two years before Google set up shop in China, China's CCP minders had gone to its competitor Yahoo, and demanded Yahoo hand over access to a Chinese journalist's email account. Yahoo had complied, and the journalists paid dearly for it. That journalist was now serving out a 10 year prison sentence. Google went into China with that journalist's experience firmly in mind. The company intentionally withheld Gmail from Chinese users for fear the party would demand access to its users private conversations. But now what Heather's team was witnessing at Google was, was just that. The Chinese government was clearly willing to go to great lengths to track its own people, no matter where they lived. China was rewriting the rules. Governments would still come knocking on the front door with national security letters and data requests. But now Google had to expect they would come break down the back door too. Suddenly, private businesses were active targets for advanced nation state hackers.
Paul Moser
What we had thought were norms on the Internet weren't actually norms.
Nicole Perleroth
Googlers took this personally. Their whole motto was don't be evil. Google's mission was to make the world's information access accessible to everyone. Standing by as an authoritarian government surveilled activists and stifled dissent ran counter to everything they stood for. Three years earlier, Google had entered the Chinese market on one condition from the ccp. That it sanitized search results for the Dalai Lama, the Falun Gong, Tiananmen Square. Google rationalized this to employees by arguing it was better to give the Chinese censored search results than leave a billion plus people in the dark. But in the intervening years, the party's list of offensive content expanded to an absurd degree. The party demanded Google censor any talk of time travel or reincarnation. Even Winnie the Pooh would eventually make their blacklist. And when Google didn't move fast enough to block content, Chinese officials took to calling Google an illegal site. Three years in, the censorship was getting hard to stomach. And now it had gone way beyond that. Google's engineers felt powerless as they watched an authoritarian government hack into their systems in a brazen campaign to surveil its own people.
Paul Moser
Google in 2009 was still a relatively small company and the people who worked there had worked there for quite some time, right, and built Google and also were of this generation of people who helped build the Internet. And there's a certain philosophy of openness, connectedness, personal responsibility in how the Internet was created, its culture. And that permeated through the culture at Google. And also people worked for Google in 2009 because they really believed the mission organize all the world's information, make it universally accessible. They could see the information revolution online, how it connected people. And the idea that someone would want to violate that, I think really spoke very strongly to Googlers, like this is a boundary. Why did you cross this boundary? Googlers really saw this As a shocking moment. Like, I can't believe somebody went there and did that. I can't believe a government went there, there and did that. And people really took that to heart.
Nicole Perleroth
This realization that Google could be used as a means for China to monitor its critics radically altered the way the company approaches cyber defense and how it informs those of us who may be targets for nation state spies. Today, Google delivers a big red warning banner across your Gmail account if it detects a nation state hacker attempting to access it. I've seen a few myself, but for Heather, it caused more personal shifts as well.
Paul Moser
I will say that it switched on a kind of strange paranoia. I remember, and this could have just been the sleep deprivation, but I remember driving into work one morning, it was very early, and I saw a telco truck, you know, telecoms truck in the middle of the road, coned everything off and they'd had the manhole cover open and it was right next to campus. And I thought, what if they're tapping the fiber, right? There's this weird paranoia that kicks in that I think that kind of thinking did come, you know, not rational, but I think you do start to question everything you see and all the decisions you're making.
Nicole Perleroth
The thing is, Heather's paranoia wasn't entirely off base. Google wasn't alone, not by a long shot. This wasn't a single hack, but an opening salvo. Here's Dmitri Alperovich again.
Dmitri Alperovich
I was looking at the malware with my team. There was a name that stood out. Usually when you're looking at the piece of malware, it's all kind of machine code, kind of binary, 0 and ones, but occasionally you see a phrase in there that sticks out. And in this case, the word that stood out was Aurora. It must have been a code name for the project that the attackers used when they were building this piece of code. And I instantaneously knew that I had to call this whole operation not just an malware, but the whole operation Aurora.
Nicole Perleroth
Any other threat researcher might have passed that phrase right on by, but that word aurora stopped Dmitri in his tracks. Dmitri grew up in Russia in the 1980s, and Aurora jolted him right back to his Soviet schooling.
Dmitri Alperovich
The reason why I knew immediately we had to call it Aurora, not just because of that one phrase, because there are certainly other phrases in the malware as well. But here my cultural background comes in. But Aurora is the name of the Russian battleship that fired the first shot. That was a signal to Lenin in 1917 to start the October Revolution that changed the course of History obviously turned Russia into Communist Russia and of course, triggered the Cold War later on as well. I knew that instantaneously that this event that I was investigating was also a huge deal, because here you had for the first time, a nation state, those publicly identified as breaking into a private company and a set of private companies. And that was going to be a big deal and a watershed moment. And that's why I called the whole thing Operation Aurora.
Nicole Perleroth
In rewinding the tapes, Google, mandiant, and now McAfee all found trails from Google's hack back to dozens of other companies.
Paul Moser
So we set up these honey pots in the hopes that we would learn which other corporate laptops we're going to connect in. And via there, we were able to see the other victims and triangulate who they were.
Nicole Perleroth
The victim list included companies just up the road in Silicon Valley, like Adobe, but the targets also included banks like Morgan Stanley, defense contractors like Northrop Grumman, even cybersecurity firms like Symantec were caught in the fray, and many more that to this day have never acknowledged they were breached. Heather's team made it their mission to warn their counterparts at these other companies. They'd call and say, look, you have a problem. Check out this IP address, and you'll see something scary on the other end of the line. Someone's face would go white, and then radio silence.
Paul Moser
I would say. There were one or two companies where we called them up and said, you know, hey, you got this thing? And they said, yeah, we've been having trouble with that for a while.
Nicole Perleroth
Back at McAfee, Dimitri's team found inroads back to more than 100 companies, 153.
Jim Lewis
To be exact, that we had discovered Oz at McAfee, all high tech.
Nicole Perleroth
That's Steve DeWalt, Dimitri's boss and McAfee's CEO at the time. What struck Dave wasn't just the number of companies that were hit, but how long Chinese hackers had been there. Some of the dwell times were measured in hundreds of days at this point, and some of them were over 400 days. So in the life of a cyber attacker, when you have 400 days to observe, not only could you compile in.
Jim Lewis
Code, you could steal code.
Nicole Perleroth
And in many cases, that's exactly what they did. They didn't just go for the emails, they went for the source code. And with that, they could alter the systems themselves. They could plant backdoors that allowed them to come back anytime they so planned pleased. One major apt campaign that was stealing source code. And stealing vulnerability research that could be exploited for decades to come. So that combination created apertures for the Chinese to use to this day. And we're still trying to figure out what all they've been able to discover from that one Aurora campaign that occurred way back when. At Google, Heather and her bosses had an important decision to make. Getting these hackers out of their systems would be hard. Keeping them out would require a monumental overhaul of cyber defense. But the alternative? Just rolling over and becoming an unwilling accomplice to Chinese surveillance, that was unthinkable. For Sergey Brin, Google's co founder, a Soviet emigre himself, it was a bridge too far.
Paul Moser
I remember we had a sit down with Sergey and he said, I'd like to make a blog post. Of course, the cyber people in the room are like, you're crazy. Like, nobody talks about this stuff. You can't make a blog post. You can't tell anybody. Like, it just wasn't the way things were done then. And as we kind of listened to the reasoning a little bit, it made a lot of sense. Users deserve to know. We wanted to get out there. We wanted to make it better for everyone else. And so sort of the shy cyber people, we quickly got over that.
Nicole Perleroth
So for the first time ever, a company went public. Google disclosed its hack in a blog post and pointed the finger squarely at Beijing. And that. That changed everything.
Dmitri Alperovich
It was groundbreaking news, I think changed the industry because it was the first time that people woke up to the threat of nation states hacking private companies.
Nicole Perleroth
Google threatens to quit China, saying it could no longer tolerate what it calls strict censorship. There is this a case of a company putting ethics above business in a huge market. And what are the potential costs of such a move?
Steve Stone
At first, it seemed to be a cyber attack aimed at those who organized protests against China's control of Tibet. A student at Stanford was surprised when Google told her someone in China China was reading her email. But Google discovered this was much more than an attack on the email of a single Chinese human rights activist. Not only was Google itself targeted by the cyber spies, but so were at least 20 other major corporations.
Kevin Mandia
Now, there's nothing official, but clearly Google.
Nicole Perleroth
Is upset with what they deem to be spying within Google China. And, you know, the rumor is that they're getting closer to pulling the plug.
Paul Moser
Google's headquarters in central Beijing.
Nicole Perleroth
The Chinese flag is flying high outside. But the search giant's relations with the government have never been straightforward. And after four years and a lot.
Paul Moser
Of controversy, it's closed. Its mainland search service rather than self censor any longer.
Nicole Perleroth
The most recent situation involving Google has attracted a great deal of interest, and we look to the Chinese authorities to conduct a third thorough review of the cyber intrusions that led Google to make its announcement. And we also look for that investigation and its results to be transparent. The Internet has already been a source of tremendous progress in China, but countries that restrict free access to information or violate the basic rights of Internet users risk walling themselves off from the progress of the next century. This was it, the opening for other victims to speak up. We braced ourselves for the outpouring of disclosures, but they never came breached. Companies were more afraid than ever to come forward. Rather than step into the light, they just hunkered deeper into the shadows. Working as a cyber reporter at the Times during this period felt like beating my head against a wall. No one would talk. That is, until the company in China's crosshairs was us. That's next on To Catch a Thief, and I remember calling one of our lawyers, telling him about this story, and he said to me, your life is in danger. Before you publish, follow To Catch a Thief to make sure you don't miss the next episode and if you like what you hear, rate and review the show. To Catch a Thief is produced by Rubric in partnership with Pod People, with special thanks to Julia Lee. It was written and produced by me, Nicole Perleroth and Rebecca Chasson. Additional thanks to Hannah Pedersen, Sam Gabauer and Amy Machado. Editing and sound design by Morgan Foose and Carter Wogan.
To Catch a Thief: China’s Rise to Cyber Supremacy
Episode 1: The Five Poisons
Release Date: March 17, 2025
Introduction
In the premiere episode of To Catch a Thief: China’s Rise to Cyber Supremacy, host Nicole Perlroth delves into the alarming evolution of Chinese cyberattacks against American entities. Produced by Rubrik in partnership with Pod People, the episode offers an in-depth documentary-style exploration of how China transformed its state-sponsored hackers from minor nuisances to formidable threats targeting the United States’ critical infrastructure. Drawing from firsthand accounts and expert interviews, Nicole unpacks the motives, methods, and far-reaching consequences of these cyber intrusions.
The Scale and Evolution of Chinese Cyberattacks
Nicole Perlroth sets the stage by highlighting the unprecedented scale of China's cyber espionage activities. For over two decades, Chinese hackers have systematically stolen trillions of dollars' worth of American research and development (R&D) trade secrets and intellectual property (IP), often leaving victims with less than 1% visibility into the breaches.
Kevin Mandia (Mandiant): “I think it's the greatest transfer of wealth in history.” [00:02]
Jim Lewis: “They call it advanced persistent threat.” [00:04]
This massive and continuous theft has evolved from targeting specific trade secrets to conducting blanket surveillance and pre-positioning within America’s critical infrastructure. As Dmitri Alperovich from CrowdStrike succinctly puts it:
Dmitri Alperovich: “They keep stealing, they can't innovate.” [00:59]
Operation Aurora and the Google Breach
A pivotal moment in understanding China’s cyber ambitions was the Operation Aurora breach in late 2009, where Google became the primary target. Nicole recounts the chaos within Google's security team as they grappled with an unprecedented breach.
Heather Adkins (Google Security Team): “We did every investigative method you could think of... after the first 12 to 24 hours, it was pretty clear that we were dealing with a scale that was going to quickly overwhelm our small team.” [09:20]
To manage the crisis, Google enlisted Mandiant, led by Kevin Mandia, renowned as the cybersecurity equivalent of “the Wolf from Pulp Fiction.”
Kevin Mandia: “In the cyber domain, the most important position to have is kind of own that moment, as you called it, the oh, shit moment.” [11:03]
The collaboration unearthed a sophisticated and widespread cyberattack, later named Operation Aurora by Dmitri Alperovich, drawing parallels to the historic Russian battleship that ignited the October Revolution.
Dmitri Alperovich: “Aurora is the name of the Russian battleship that fired the first shot... I knew that this event that I was investigating was also a huge deal.” [31:35]
The Motivation: Five Poisons and Internal Control
Central to China’s cyber strategy is the concept of the "Five Poisons," modern equivalents of ancient threats that the Chinese Communist Party (CCP) perceives as existential threats to its control. Jim Lewis of the Center for Strategic and International Studies elaborates on these groups:
Jim Lewis: “The Uyghurs, the Tibetans, the Falun Gong, the pro-democracy movement, and the Taiwanese. It's the concern with the continuity of party leadership.” [17:24]
Targeting these groups, especially the Uyghurs, has driven the CCP to invest heavily in domestic surveillance, turning regions like Xinjiang into dystopian surveillance hubs. Heather Adkins describes the pervasive surveillance infrastructure:
Heather Adkins: “By 2017, they were appearing absolutely everywhere... I counted 250 cameras during a 15-minute subway ride.” [17:24 - 22:25]
This domestic focus on control and suppression has seamlessly extended to global cyber operations, enabling China to export its surveillance tactics overseas.
The Global Expansion of Chinese Surveillance
As China's internal surveillance mechanisms grew more sophisticated, so did its international cyber espionage efforts. The breach of Google was just the tip of the iceberg, linking to over 100 other companies across various sectors, including Silicon Valley giants like Adobe and defense contractors like Northrop Grumman.
Jim Lewis: “We had discovered Oz at McAfee, all high tech.” [33:03]
Long dwell times, sometimes exceeding 400 days, allowed Chinese hackers to deeply infiltrate systems, stealing not just emails but also source code and vulnerability research, creating persistent backdoors for future access.
Impacts and Reactions
The revelation of Operation Aurora forced Google to make a historic decision to go public with the breach, marking the first instance of a major private company disclosing a state-sponsored cyberattack. This bold move was influenced by Sergey Brin, co-founder of Google, who prioritized ethics over business interests in the face of blatant espionage.
Paul Moser (New York Times): “Users deserve to know... the suspension of norms.” [36:17]
The disclosure had a ripple effect across the industry, awakening companies to the reality of persistent nation-state threats and challenging previously held assumptions about internet norms.
Conclusion
To Catch a Thief: China’s Rise to Cyber Supremacy Episode 1, "The Five Poisons," provides a comprehensive and gripping account of China’s strategic ascent in cyberspace. Through expert testimonies and detailed analysis, Nicole Perlroth illustrates the profound implications of China’s cyber operations on global security, economic stability, and technological advancement. The episode underscores the urgent need for heightened cyber defenses and international cooperation to counteract the sophisticated and relentless nature of Chinese cyber threats.
Notable Quotes with Timestamps:
Key Takeaways:
To Catch a Thief: China’s Rise to Cyber Supremacy offers a crucial examination of the shadows within cyberspace, revealing the intricate web of cyber espionage that threatens global stability and security.