Ep 4: Naming and Shaming - To Catch a Thief: China’s Rise to Cyber Supremacy

Summary5 min read

Episode 4: "Naming and Shaming" of To Catch a Thief: China’s Rise to Cyber Supremacy

Host: Nicole Perlroth
Guests: Dave DeWalt (NightDragon), Kevin Mandia (Mandiant), Ben Santeris, Steve Stone, John Carlin, Paul Moser
Release Date: March 31, 2025

1. Introduction: Unveiling China’s Cyber Dominance

In the fourth episode of To Catch a Thief: China’s Rise to Cyber Supremacy, host Nicole Perlroth delves into the intricate web of Chinese cyberattacks that have systematically undermined American industries and infrastructure. The episode, titled "Naming and Shaming," explores how China's state-sponsored hacking evolved from mediocre intrusions to becoming an apex predator targeting the United States' critical sectors.

2. China's Meteoric Economic Ascent and Cyber Prowess

Nicole Perlroth sets the stage by highlighting China's rapid transformation:

“Within a few decades, the Chinese economy went from agrarian backwater to manufacturing middleman, to world-class innovator in its own right.” ([00:04])

She cites prominent examples where China has outpaced the U.S. through aggressive cyber strategies:

Huawei: Once the world's leading telecom equipment supplier, now facing global rejection.
Solar Panels: Despite American innovations in 1954, China controls over 80% of the global supply chain.
TikTok: Emerged as the fastest-growing social media app, surpassing American counterparts.
DJI Drones: Dominating both consumer and U.S. law enforcement markets.
BYD Electric Vehicles: Surpassing Tesla in the global EV market by 2023.

3. Mechanisms of Cyber Theft: IP Theft and Market Domination

Nicole emphasizes how cyber theft and subsidies enabled Chinese companies to dominate:

“The hacking, the outright theft gave them a huge leg up.” ([02:03])

She explains that Chinese firms, such as Huawei and SolarWorld, leveraged stolen intellectual property (IP) to produce similar products at lower costs, effectively driving American competitors out of business. This strategy not only stifled American innovation but also led to the loss of jobs and economic stability in numerous U.S. towns.

4. Firsthand Accounts from Cybersecurity Veterans

Dave DeWalt, CEO of NightDragon and former CEO of McAfee and FireEye, provides an insider perspective:

“That time period was the most dangerous in America's history. I think as we really got a superpower elevated, probably 50 years of IT advancement in a five-year period because developing all that on your own would never have happened.” ([02:41])

DeWalt recounts how Chinese cyberattacks accelerated China's technological capabilities, enabling them to overtake sectors like aviation and energy through persistent and sophisticated breaches.

5. The Revelation of APT1 and Public Attribution

The episode details the emergence of APT1 (Advanced Persistent Threat 1), a codename used by the Bush administration to covertly refer to Chinese hackers:

“The Bush administration didn't want to say China, so they called it Advanced Persistent Threat. That's code for China.” ([03:38])

Perlroth narrates her investigation into a significant breach at The New York Times, where Chinese hackers infiltrated systems by hijacking a Chinese takeout restaurant’s PDF menu:

“Once they were in, getting these Chinese hackers out of your systems, finding and closing every backdoor was a huge challenge.” ([04:00])

This breach exemplified the relentless persistence of Chinese cyber operations, even after apparent clean-ups.

6. Government Action: Indictments and Legal Pursuits

The collaboration between journalists and cybersecurity experts led to a pivotal moment. John Carlin, former Assistant Attorney General for National Security, discusses how public attribution enabled legal actions:

“It was about more than justice for the victimized American companies. This was about establishing global norms of acceptable behavior.” ([24:40])

A grand jury in Pennsylvania indicted five members of PLA unit 61398, naming victims like SolarWorld, US Steel, and Westinghouse Electric. This legal move marked a significant step in holding Chinese entities accountable for their cybercrimes.

7. Evolution of Chinese Hacking Tactics: From Military Units to Mercenaries

The podcast explores the diversification of Chinese cyber operations beyond military units to include private contractors and "gunslingers":

“These were moonlighters tasked with episodic state missions. Privately employed engineers who got paid by the state to hack on the side.” ([29:14])

Paul Moser, a New York Times correspondent, explains how under Xi Jinping, Chinese hacking shifted to a more decentralized and profit-driven model, fostering a mercenary-like hacker community:

“They become this almost mercenary army, the sort of hackers for hire, soldiers of fortune.” ([35:09])

This shift increased the sophistication and stealth of Chinese cyberattacks, making them more difficult to trace and mitigate.

8. Case Study: The Demise of SolarWorld and Its Implications

SolarWorld serves as a poignant example of the devastating impact of Chinese cyber theft:

“In 2012, SolarWorld discovered Chinese hackers had broken into its network and passed its crown jewels over to Chinese state-owned enterprises.” ([13:14])

Despite legal battles and lobbying for tariffs, SolarWorld succumbed to overwhelming competition from subsidized Chinese panels, leading to massive layoffs and the eventual closure of its Hillsboro, Oregon factory in 2021. This case underscores the broader economic repercussions of sustained cyber aggression.

9. The Critical Role of Attribution and Public Disclosure

Initially, American leaders hesitated to publicly attribute cyberattacks to China due to economic dependencies. However, investigative journalism and collaboration with cybersecurity firms like Mandiant changed the landscape:

“When Mandia read China's denial in my story, he decided, screw it, let's show them the proof.” ([17:15])

Publicly naming Chinese hacking units forced the U.S. government to take definitive actions, shifting from passive acknowledgment to active prosecution of cybercriminals tied to the Chinese state.

10. Ongoing Cyber Threats and Strategic Responses

Despite public indictments, Chinese cyberattacks persist and evolve. The Office of Personnel Management (OPM) breach, affecting 25 million Americans, exemplifies the continued vulnerability:

“American's personal data was now in the crosshairs.” ([39:05])

Kevin Mandia emphasizes the necessity of establishing rules of engagement in cyberspace to hold nations accountable:

“To hold nations accountable, we need to have Rules of engagement in cyberspace.” ([27:02])

The episode concludes by highlighting the urgent need for a robust and coordinated response to mitigate ongoing and future cyber threats from China.

11. Conclusion: The Imperative of Naming and Shaming

"Naming and Shaming" serves as a critical examination of how American vulnerabilities were exploited by Chinese cyber operations, leading to significant economic and societal consequences. Through detailed case studies and expert testimonies, the episode underscores the importance of transparency, accountability, and strategic action in countering state-sponsored cyber threats.

Notable Quotes:

Dave DeWalt: “That time period was the most dangerous in America's history... America’s companies would have dominated China had they not been able to build their own Chinese companies with the IP they stole.” ([02:41], [03:06])
Kevin Mandia: “We need to have Rules of engagement in cyberspace.” ([27:02])
Paul Moser: “These guys become this almost mercenary army, the sort of hackers for hire, soldiers of fortune.” ([35:09])
Steve Stone: “There was this really emerging moment where we just recognized things were different...” ([30:10])

This comprehensive summary encapsulates Episode 4's exploration of China's strategic cyberattacks against the United States, highlighting the evolution, impact, and responses to these covert operations. Through meticulous reporting and expert insights, To Catch a Thief sheds light on a largely untold aspect of modern geopolitical conflict.

Loading summary

Transcript116 lines

[00:04]
Nicole Perleroth
Within a few decades, the Chinese economy went from agrarian backwater to manufacturing middleman, to world class innovator in its own right. American companies had been the pioneers, the innovators. But somewhere along the way we got beat at our own game. And in too many cases it was with our own stories. Stolen IP throughout the 2000 and tens, examples surfaced everywhere. The world's top telecom player, Huawei. They're the biggest supplier of telecoms equipment in the world. So why are countries increasingly turning away from Huawei? The world's top solar panel makers, all Chinese. The first solar panels were invented in America in 1954. And yet it's been China that's been better able to capitalize on the technology. Now China controls over 80% of the global solar panel supply chain, while the United States manufactures virtually none of the required components for solar panel production. The fastest growing social media app, TikTok.
[01:12]
Ben Santeris
TikTok is the latest app to capture.
[01:14]
Steve Stone
The attention of teens and young adults across the world.
[01:17]
Ben Santeris
The app came as the number one.
[01:19]
John Carlin
Downloaded app of 2018.
[01:22]
Nicole Perleroth
Even the drones flown by US law enforcement are no longer American.
[01:29]
Steve Stone
For almost the last two decades, Chinese made drones have dominated the consumer market.
[01:34]
Nicole Perleroth
China's DJI owns the sky. As for electric vehicles, it's not Tesla anymore. As of 2023, it's China's BYD. In the world of electric vehicles, Tesla has reigned supreme.
[01:50]
Dave DeWalt
But its days as top dog may be numbered. In China, the world's largest EV market.
[01:56]
Nicole Perleroth
It'S been losing ground to domestic automakers as a ruthless price war has inflamed.
[02:01]
Ben Santeris
An already competitive market.
[02:04]
Nicole Perleroth
Nobody was connecting the dots back to Chinese hacking. Nortel didn't just disappear. Huawei stole it, China subsidized it. And they made it so cheap it wiped Nortel off the map. Now that's not to say that Chinese companies aren't innovative, it's just that they were playing by different rules. The hacking, the outright theft gave them a huge leg up. And all that leapfrogging came with a heavy price tag for American companies, American workers, really the American people.
[02:42]
Dave DeWalt
That time period was the most dangerous in America's history. I think as we really got a superpower elevated, probably 50 years of IT advancement in a five year period because developing all that on your own would never have happened. And in my opinion, America's companies would have dominated China had they not been able to build their own Chinese companies with the IP they stole.
[03:07]
Nicole Perleroth
That was Dave DeWalt who had a front row seat to these developments as CEO of McAfee. And later, FireEye. Anyone tracking Chinese cyber theft over this period could have told you that this was all entirely predictable. But even as the hacking reached absurd levels, America's leaders in business and government were still hesitant to sound the public alarm. Fears of upsetting the world's largest market still ruled the day. That's where a certain government shorthand came in.
[03:39]
Kevin Mandia
By the end of the Bush administration, there was a recognition that Chinese cyber activities had reached troubling levels. This is where the famous phrase APT came from. The Bush administration didn't want to say China, so they called it Advanced Persistent Threat. That's code for China.
[04:01]
Nicole Perleroth
I'm Nicole Perleroth, and this is To Catch a Thief. I learned the meaning of Advanced Persistent Threat back when I was at the New York Times. I was reporting out a wild story about how Chinese hackers had broken into one oil company. They tried to break in all the usual ways, mainly through phishing emails. But when that didn't work, they searched for the company's employees on Facebook and discovered several of them had liked the same Chinese takeout restaurant. So what did they do? They hijacked the restaurant's PDF takeout menu, which, when the oil company employees went to order some General Tso's chicken, they got a helping of Chinese malware instead. Once they were in, getting these Chinese hackers out of your systems, finding and closing every back door was a huge challenge. In one case, the U.S. chamber of Commerce, basically the country's biggest business lobby, discovered they'd been breached by Chinese hackers. They brought in the FBI and private security firms and believed they'd cleaned house. But then, months later, one of their printers inexplicably started printing out reams of documents in Mandarin. Separately, some of their lobbyists started complaining that the thermostats in their corporate apartments in D.C. were acting funny. Upon closer inspection, both the printer and these thermostats were still communicating with IP addresses in China months later. This was the level of persistence we were dealing with. Back to Dave DeWalt.
[05:52]
Dave DeWalt
This was stuff we hadn't seen before. The epiphanies of a major government stealing from American companies directly. Government on business, and then government on security companies to business was something we had never seen. And so that was a wake up call for all of us to go, wow, okay, this is beyond government on government espionage and activities. But when you start seeing little companies, almost measured by a press release coming out as a Series A investment, getting hacked by the Chinese, you knew you're in a whole new era. And that's the era I grew up in.
[06:32]
Nicole Perleroth
These days, DeWalt runs his own cybersecurity investment firm, Nightdragon. And yes, he named his firm after the Chinese hacking campaign. Some of these thefts still haunt him.
[06:43]
Dave DeWalt
I spoke at an airline transportation summit, and I showed 150 breaches on how China built its next generation jet. So they stole all the parts to the jet, from the airframe to the avionics to essentially. And it was. I wanted to call it the C919, but I showed the entire airframe and avionics and every confirmed breach that showed how they had a strategy to build the entire aircraft from the breaches of American companies. Now, it took them a while to get it off the ground because, you know, it's not easy just to steal it and build it. There's a lot of engineering process that goes with it. But eventually they did, and now they have their own capabilities to build their own aircraft. Commercial airliners, that all came from breaches.
[07:31]
Nicole Perleroth
Of the U.S. the COMAC C19 came to market in 2008. It took another 10 years for the U.S. justice Department to detail in an indictment how COMAC narrowed the technological gap between what it could build and what its Western competitors could do. Before 2008, Comac relied on companies like Airbus, GE, Honeywell, Belgium, Safran for major components. But China was determined to help comac, which is short for Commercial Aircraft Corporation of China, stand on its own two feet. Chinese spies bribed employees at these Western suppliers to hand over trade secrets, and some of them did. A few are now in jail. But what China's spies couldn't get from human sources, they stole in a brazen series of cyber attacks against Honeywell, Capstone Turbine, GE and Safran CrowdStrike. And a report of its own concluded that those hacks helped COMAC trim several years and potentially billions of dollars off its development time. And that was all for just one airplane.
[08:45]
Dave DeWalt
When you look at solar industry, there were so many attacks on the solar where they'd flood solar panels back into the US down to the exact bolt with the same serial number of the solar panels that were stolen. I mean, we could match it to the Chinese maker with the exact same characteristics with the same serial number that was stolen from a US provider. And we have a lot of cases of this. I'm not sure how many I'm able to share down to the company names. But, I mean, we saw restaurants that were opening in China with the exact recipes of the food that was served. Like, we saw good luxury goods makers who had their products stolen down to the handbag process of manufacturing.
[09:30]
Nicole Perleroth
Back when DeWalt was CEO of McAfee and then FireEye, he handed the Obama administration a list of American companies he believed were getting raided hand over fist. Over the next few years, as the government debated what to do, how far they were willing to go to make China stop whole companies, entire towns were eviscerated by Chinese IP theft.
[09:56]
Dave DeWalt
If you go back to 2008 window, there's a number of town stories like that whose entire businesses and towns were wiped out by Chinese product that flooded the market less than one year of the espionage attack. Some of the lives that were affected and the people that were affected are pretty dramatic because entire factories and towns were built around the manufacturing of American good that suddenly was sold for a fraction of the price below cost to defeat the American by its own product down to its serial number.
[10:33]
Nicole Perleroth
Today, Solar World here in Hillsboro has about 700 employees.
[10:37]
Kevin Mandia
But by 2015, they say they will.
[10:40]
Nicole Perleroth
Have an additional 200. The company is adding a solar panel production line. 20 miles west of Portland sits Hillsboro, Oregon, a town locals refer to as Silicon Forest because a number of big tech companies have factories here. Intel, Salesforce, and until recently, SolarWorld, a German solar company, housed the largest solar cell manufacturing facility in North America here. At its peak, SolarWorld hired more than 1,000 locals. The company was among the first in the world to manufacture a next gen solar cell that was highly coveted for its efficiency and flexibility. These solar cells allowed panels to work in lower light conditions and in extreme heat.
[11:27]
Paul Moser
I use SolarWorld panels, I use SolarWorld.
[11:29]
Nicole Perleroth
Panels because we can trust them.
[11:32]
Steve Stone
By far the best module manufacturer that there is in the world.
[11:35]
Dave DeWalt
German engineering, American made, that hits home for most people.
[11:39]
Nicole Perleroth
The rate at which the innovation was.
[11:41]
Kevin Mandia
Taking place, the rate at which we.
[11:43]
Nicole Perleroth
Were implementing and breaking new ground, was just breathtaking. That competitive edge put Solar World and Chinese hackers crosshairs. The CCP first highlighted solar energy on its Five Year Plan in 1981, and solar has made every Five Year Plan ever since. In 2012, SolarWorld discovered Chinese hackers had broken into its network and passed its crown jewels over to Chinese state owned enterprises. Soon those companies, aided by Chinese subsidies, were dumping cheaper copies of SolarWorld's panels into US markets. SolarWorld fought back both in court and in the corridors of Washington where they lobbied for tariffs on Chinese panels. But it wasn't enough. By 2017, Solar World laid off more than 800 of its Hillsborough factory workers. The factory shuffled hands through a series of takeovers and ultimately closed up shop in 2021. Emotions are mixed here at financially troubled Solar World. We're in the process of laying off people.
[12:48]
Ben Santeris
Spokesman Ben Santeris tells me the layoffs at Solar World have been happening for the last couple of months. US Solar manufacturers are finding it next.
[12:58]
Steve Stone
To impossible to compete with much Che.
[13:00]
Ben Santeris
Imports flooding the market, mainly from Asia.
[13:03]
Nicole Perleroth
People are being affected. They will be affected all the way up and down the value chain in the U.S. we're sad to have to say farewell to our co, our peers.
[13:15]
Dave DeWalt
But it's a necessary move that we.
[13:17]
Nicole Perleroth
Need to make in order to survive.
[13:19]
Dave DeWalt
When you start to look at it through the lives of people like that who lost their jobs, had to go on Social Security, or had to migrate out of the cities because of the Chinese espionage, it's a real factor.
[13:36]
Nicole Perleroth
These shutterings were happening to hundreds of companies and towns across America. Some, like SolarWorld, tried to fight back. Here's Steve Stone. He worked with a turbine maker that discovered its Chinese competitor had copied its hardware and software down to mistakes in the original source code.
[13:56]
Steve Stone
There was only a handful of companies that really built that technology, both the software and the hardware. And one of those US companies went out of business and then they sued the Chinese government in US Court because they said they literally stole our design. And then they just sold turbines at a much discounted rate and they displaced our business. And the court case came down to an actual source code review and it had the US Company's name in the Chinese source code. The US Company went and bought one of these Chinese turbines and then just mapped everything out. So they were able to say, this isn't just a manifestation of our source code, it's our actual source code. We're going to point out spelling errors. Our actual company name is in this and that company no longer exists. It was taken to create a viable Chinese business, which now is one of the top turbine producers. This is a very much a long game for the Chinese side of the house.
[14:50]
Nicole Perleroth
It's worth noting that four of the world's top five turbine makers are now Chinese companies. Meanwhile, Western competitors like Capstone Turbine filed for bankruptcy in 2023, citing decreased demand. Factories closing, towns hollowed out. And yet so many Chinese cyber attacks flew under the radar, mainly because victims were so reticent to step forward, scared what the disclosures would mean for their reputation, for their stock price, for class action lawsuits. That's why our own disclosure of the Chinese breach of the New York Times was such a game changer.
[15:33]
Dave DeWalt
We've been Reporting on the warnings and seeing the examples over and over. State sponsored computer hacking of American companies by China.
[15:41]
Ben Santeris
Well, tonight it's the news media itself.
[15:45]
Dave DeWalt
Under siege, including some very big names.
[15:47]
Nicole Perleroth
The New York Times has been hacked.
[15:50]
Dave DeWalt
The New York Times says hackers have been attacking its computer system for the past four months, even managing to get passwords for individual reporters.
[15:58]
Nicole Perleroth
Just before I hit publish on that story, I'd done what any serious journalist does. I'd called the Chinese consulate, walked them through everything I had and gave them the chance to comment or refute the story. What I got was a full throated denial. To accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless. I included that denial word for word in the story. China's denial, especially the part about no solid proof, didn't sit well with Kevin Mandia. For years he tracked the group behind our hack. A group Mandiant called APT1. Officially the group was a Shanghai based unit of the People's Liberation army unit 61398. Mandiant knew the group better than most. It had traced their movements to more than 100 breaches in the US. They had their online handles, they had their physical address.
[16:57]
Ben Santeris
141 times we did investigations and it went back to this bucket of evidence or fingerprints to Apt 1. They're unbelievably persistent. Like you get these guys out of your network, they're just back. The next day there was no doubt they were badging into a building and this was their job.
[17:16]
Nicole Perleroth
When Mandia read China's denial in my story, he decided, screw it, let's show them the proof. He handed me and my Times colleague David Sanger, a 74 page report detailing the group's official military designation, their tactics, techniques, victimology, its members who had names like Ugly Gorilla and critically, its whereabouts. We sent our Shanghai bureau chief David Barbosa to investigate. And sure enough, next to restaurants, massage parlors and a wine and porter, he found a 12 story nondescript white building surrounded by Chinese soldiers.
[17:53]
Kevin Mandia
We were trying to figure out like, okay, this is coming from a location in Shanghai, right? They had the address, right? But they wanted me to go by the building and see what this was about. A 30 minute cab ride from my home. To think that wow, they were actually not that far. And so I went out there and saw this white tower and clearly saw that it was manned by military personnel. At the front, I think I saw the big dishes on the top of it, that the windows were covered or not clear. It Seemed like a military installation, but one with a lot of antenna power and other things. So we were like, okay, this is a high powered building with military personnel with special stuff. I don't know if it's really the hack is coming from here, but this seems to fit every expectation that we, that we have. From what I've been told by you and Mandiant.
[18:56]
Nicole Perleroth
Once we were sure we could corroborate Mandiant's report, we published everything we had. I turned on cnn. This building is the focus of a report from US cybersecurity firm Mandiant. They say a hacking collective with direct ties to the Chinese military has stolen.
[19:13]
Steve Stone
Data from 141 organizations from around the world since 2006.
[19:18]
Nicole Perleroth
A CNN crew tried to roll their, their cameras through that neighborhood and this.
[19:23]
Steve Stone
Is what they discovered.
[19:24]
Nicole Perleroth
This is our crew being chased by Chinese security officers. Chase after us just yet? Keep driving. Drive away.
[19:39]
Kevin Mandia
Drive away.
[19:40]
Nicole Perleroth
Drive away. Drive away, drive away. Not. CNN's David McKenzie is live for us in Shanghai with more. But the bigger picture here, Soledad, really.
[19:48]
Ben Santeris
Is what is happening here. The Mandian Group says that this group is working in conjunction with the Chinese.
[19:56]
Nicole Perleroth
Military and the Chinese government.
[19:57]
Ben Santeris
Chinese government. Not surprisingly, Soledad says that they have.
[20:01]
Nicole Perleroth
Nothing to do with this. They call these claims, quote, irresponsible. What you're saying is that what many people saw as a shadowy Chinese group is actually part of the People's Liberation Army?
[20:14]
Ben Santeris
Well, I would think it is. And it's taking direction from the pla and that's why we've released this report is there's all this public disclosure now that it's China behind lots of these intrusions.
[20:25]
Nicole Perleroth
Even Kevin Mandia was shocked to see its impact.
[20:28]
Ben Santeris
I just went into the office by myself and right around 7:30 in the morning, my wife at the time called and literally this is how I knew we were on the news. I didn't know CNN was filming outside the building. Nicole. The exact words from my wife at the time was what in the F did you do? And I said, what are you talking about? She's like, turn on the tv. Your name is on every station. And I'd never told her we were writing the report. I never really thought to, you know, or anyone for that matter. We didn't even tell the Mandian board about it till maybe one day prior. Hey, we're going live tomorrow with a report that pins China's PLA unit. 61398 to 141 intrusions primarily to US companies. I just didn't think it was going to be news.
[21:15]
Nicole Perleroth
That story wasn't just news. It empowered the US Government to go after the PLA unit. Meet John Carlin, who worked at the Justice Department under the Obama administration.
[21:28]
Kevin Mandia
I was the Assistant Attorney General for National Security prior to that. And during his first term I was the Chief of Staff to the Director of the FBI and then in between I was the principal deputy Assistant Attorney General for National Security.
[21:46]
Nicole Perleroth
While I was busy writing about Chinese cyber attacks, it was Carlin's job to figure out what to do about it. Part of the challenge was that until we outed our own hack and the PLA unit responsible, most everything the US government had on Chinese hackers was classified.
[22:07]
Kevin Mandia
I went to a facility, an unnamed facility out in Virginia and there was a giant jumbotron screen like a movie theater and I could watch in real time as nation state actors. China in particular hopped into places like universities, used the fact that they penetrated the university to hop into places like private corporations and then to steal economic information off an intellectual property, commit economic espionage. And it was amazing to see that being tracked in real time. And it felt like an incredible intelligence success, but it did not feel like actual success to watch that much information. Things of value to the American public flow from the United States to China.
[22:50]
Nicole Perleroth
But John's team can just call out the Chinese Communist Party by name.
[22:54]
Kevin Mandia
It was literally classified. We weren't allowed to publicly say as a government official for years what everybody knew, which was that China was hacking these private companies.
[23:04]
Nicole Perleroth
One year after we outed the PLA unit 61398 John's team was cleared to prosecute. A grand jury in Pennsylvania indicted five of the unit's members and named their victims among them Solar World US Steel, which struggled in recent years to compete against low priced subsidized steel from China. Westinghouse Electrico, the world's biggest supplier of nuclear reactors, Allegheny Technologies, Alcoa and the United Steel workers union.
[23:34]
Kevin Mandia
Clearly unit 61398 was tasked with hitting these private sector targets in a way that others may not be. They were sloppy in their tradecraft, they were noisy, they had great nicknames like Ugly Gorilla that could be used. So really was a rich trove of evidence, but also the fact that private sector groups like Kevin Mandia's group Mandiant had the information and were making it publicly available. Meant to those who were worried about sources, methods, et cetera. This wasn't information that was uniquely the province of the government. So we really weren't giving anything up by being allowed to use it in a criminal case.
[24:19]
Nicole Perleroth
Our reporting from the Times combined with Mandiant's APT one report meant Carlin's hands were untied. In his mind, the prosecution hadn't come a moment too soon. It was about more than justice for the victimized American companies. This was about establishing global norms of acceptable behavior.
[24:40]
Kevin Mandia
The activity would spike at around 9 in the morning, Beijing time. It would then stay high. And then apparently they took a lunch break because it would decrease slightly in the middle of the day. Then they get back to work. You'd see it spike again, decrease overnight, decrease on weekends and Chinese holidays. So as the prosecutor in me circumstantial evidence that this group is coming from China, but also it shows that the second largest military in the world was putting on their uniform, getting up every morning and then hacking you. Hacking us, hacking private companies, and that that simply couldn't be allowed to stand. If you let someone walk across your lawn long enough in common law, and international law is a law of common law, they earn the legal right to walk across your lawn. It's called an easement. And that's why people put up no trespass signs. As long as we were allowing them to hack this noisily, we were creating the international law, the new norms, the new rules for this cyber age that said that this was okay. And so we felt very strongly that we need to show, no, this is a crime like any other type of theft. And if we don't at least treat it that way under our system, even if we can't hold these individuals accountable, we're never going to create the rules for the world that we want our children to live in.
[26:01]
Nicole Perleroth
When I first had started covering Chinese cyber attacks, I'd always ask the experts, well, who did it? What they said in those early days, though, surprised me. They'd say, nicole, attribution doesn't matter. I always read that as we don't want to piss off China for business reasons. That was partly true, but the other truth was that we were getting hit so hard and so often that the first priority wasn't the whole, but the how to make it stop.
[26:34]
Ben Santeris
Somebody jumps out of an alleyway and starts hitting me in the face to rob me. I don't block punches going, who are you? I just defend myself, you know.
[26:43]
Nicole Perleroth
But in the wake of our revelations at the times and dancing CPT1 report, John Carlin's indictments, that began to shift.
[26:53]
Ben Santeris
However, I came to understand over time, attribution absolutely matters. To hold nations accountable, we need to have Rules of engagement in cyberspace.
[27:02]
Nicole Perleroth
But unit 61398 was just one group. Inside the NSA, analysts were tracking an entire Chinese hacking apparatus. Here's Steve Stone again.
[27:15]
Steve Stone
I don't think people understand just how big this machine is. They tend to think about a group or an intrusion.
[27:22]
Nicole Perleroth
The intelligence community was tracking some 20 dispute great Chinese hacking units. Roughly half were PLA military or navy units dedicated either to specific industries like microchips, semiconductors, satellite technology, or specific geographies that were just assigned to hack targets. In Australia, for instance, these were military personnel clocking in for their daily hacking to do list.
[27:50]
Ben Santeris
By the time we showed up, it was valid credentials, a user ID and passphrase login. And you could tell their operators are used to just sitting at a desk for eight hours a day. And they were probably getting paid by the pound. Just take everything you can, because I used to call it the tank through the corn field.
[28:07]
Steve Stone
Everything started with what we now know as, you know, the pla, or even the PLA Air Force or PLA Navy. So what we learned was these were very consistent groups. They were big, they were good at what they did, but they were predictable and they didn't evolve much. So we really thought we had our arms around these groups in particular.
[28:28]
Nicole Perleroth
But then there was the other half of the groups the NSA was watching. These were looser satellite networks of contractors. They worked at the behest of China's spy agency, the Ministry of State Security, but not necessarily in the building. These were moonlighters tasked with episodic state missions. Privately employed engineers who got paid by the state to hack on the side. And unlike the PLA's hackers, who could be quite sloppy, these soldiers of fortune were good. They had legitimate skills. They were known for their stealth. Here's Paul Moser, who covered China's expanding surveillance state for the New York Times.
[29:14]
Paul Moser
Hacking and the burden of hacking shifted under Xi Jinping, from the People's Liberation army, the Chinese military, to its intelligence operations Ministry of State Security, or mss. And what MSS does is it takes a very different approach. It basically says that anybody who wants to start a franchise, who's good at this kind of stuff, can have a trust. And so what we see is a sort of network of different hackers for hire emerging across China. And many of them have really deep technological experience and they want to turn it to these sorts of aims. And so effectively it's a group of soldiers of fortune, you know, hackers for hire who are turning at the government's behalf onto the United States and trying to break into any and everything. And any kind of new hack they get goes up the chain and they're rewarded.
[30:03]
Nicole Perleroth
Steve Stone watched in real time as China's hacking unit started handing off missions to the experts.
[30:11]
Steve Stone
Here's Steve, as you mentioned, there's this really emerging moment where we just recognized things were different. And at first we thought maybe they're just, these are other military units we hadn't run across yet. And what we really started to get an appreciation for was there was really different skill levels. There was groups that were really proficient in other things and you could almost begin tracking how they would work together. We would see APT1 struggle with an intrusion and they just could not figure it out. And then all of a sudden APT would show up, blast through the doors, get the intrusion going, and then leave and hand it back off to Apt 1. And so we were really trying to understand how all these groups were going together and what we ended up finding out and why we kind of called those three groups the gunslingers was those people, the actual people behind them started as young people, they knew each other and they formed hacking groups, they went to university and they studied together and then they end up forming actual companies. And then they also did this hacking on behalf of the Chinese government for profit. They were so much more capable because they just stayed on keyboard, they didn't age out. And then teaching, literally teaching, like actually teaching in classrooms, and also these hacking groups, the next generation, and we would actually start to see the ecosystem and the groups evolve. And that's how we really got to understand where we're at today, which is, you know, this ecosystem of private contractors and private groups. If you were in a military unit, you got promoted to a point and now you're off and now the next person comes in and it's a machine.
[31:49]
Nicole Perleroth
This is what US intelligence came to understand. There were two pools of Chinese hackers, the day jobbers, military enlisted personnel, and the gunslingers. Imagine if Stanford's top computer science professors and Silicon Valley engineers, even executives, hacked for the NSA on their off hours as a side hustle or because they had no choice. This allowed China to tap its best and brightest sensitive missions. And it also gave the CCP plausible deniability should they get caught. The CCP could always say, it's not us, it's these hackers. We can't even control ourselves.
[32:31]
John Carlin
In the US Intelligence community, you have to be an employee of the government to be authorized to, to do these operations, to effectively break the law, right? Because we have effectively The CFAA Computer Fraud and Abuse act that prohibits everyone from hacking with the exceptions of law enforcement, intelligence community. But to use those exceptions, you have to be a member. On the Chinese side, they were just saying, hey, we have these requirements. Company X, Y and Z, go get them for us. And then what was happening that was really interesting is that a lot of these companies decided to start moonlighting.
[33:05]
Steve Stone
If the Chinese Communist Party comes to you and tells you to do something.
[33:09]
Kevin Mandia
Even if it's not in your business.
[33:10]
Steve Stone
Interest to do it, you have to do it. Because then they have numerous levers of coercion that they can use to effectively.
[33:19]
Kevin Mandia
Put you out of business.
[33:22]
Nicole Perleroth
I'd later learn from the Snowden Leaks that China actually ran some of its cyber attacks through popular Chinese tech companies like 163.com. China's version of Yahoo and Sina, the company that runs China's Twitter equivalent, Sina Weibo. At one point, the GCHQ, which is essentially the UK's NSA equivalent, discovered that 163.coms mail servers were secretly operated by a Chinese government domain, and that that same Chinese government domain served as a backup server for Sina Weibo. In practical terms, that means that the Chinese government had direct access to any and all traffic, including private messages run through sina or163.com. This would be like discovering that Facebook or Twitter's backend infrastructure was actually run by the nsa. When you hear that, you start to understand why there might be some national security concerns about TikTok. Increasingly, private security firms and US intelligence agencies would catch China's best state hackers using their golden access to line their own wallets. Here's Dmitri Alperovich again.
[34:35]
John Carlin
As long as we're hacking companies, well, why don't we do it for our benefit too? And we started to see actors that would hack into gaming companies and steal virtual currency and just monetize it. And at the same time, they were hacking into national security targets of US government or private sector companies and still on IP theft, clearly for the strategic interests of the state. And it was really interesting how you have on one hand an actor that was engaged in personal cybercrime, and on the other hand is executing mission requirements for the state. If you did that in the us, you would get arrested.
[35:09]
Paul Moser
And the thing is, these guys, on the one hand they're sort of hacking these big national targets, but they're also then doing other things to extract money and make money while they're doing it. You can make a lot of money if you can hack without any kind of consequences whatsoever. You have the state's backing and you can also just kind of, you know, say hold data for ransom or you know, take certain, certain bank accounts or crypto or whatever. And so these guys become this almost mercenary army, the sort of hackers for hire, soldiers of fortune. And it's fascinating because it's a complete change from the way the top down, way things were before, before. And it's revolutionized both the way China hacks and also the effectiveness because they're just much better. It's much better when you have a startup kind of mindset towards hacking anywhere. And China has certainly a very capable set of people to do it. So give them the freedom, give them the resources and lo and behold, seven or eight years on you have a really deadly powerful attack hacking force in China.
[36:04]
Nicole Perleroth
That was Paul Moser. One thing to know about China's hacking pipeline is that it's robust and it starts early. The best analogy is probably American football talents identified young, recruited to the best college programs and eventually drafted to the NFL.
[36:19]
Paul Moser
They actually recruit in very interesting ways. They'll have hacking competitions among students. Oftentimes they're embedded in the university. So a professor of, you know, cybersecurity at a university might hold hacking competitions and then the best student will be recruited into these new MSS efforts. It may be that people who are really capable programmers at a big tech company, like a sort of large Chinese Internet giant might be pulled out and told actually, hey, you have a future at this.
[36:46]
Nicole Perleroth
How much of this is forced labor?
[36:48]
Paul Moser
I'm not sure we totally know. I think it's a bit a mix of both. I do think they tend to look for people who are patriotic, who are at certain universities that are linked more closely to the government and in its efforts. But for the most part, usually I think there has to be some level of interest. I don't think they're kind of holding great tech minds and saying you have to do this. Oftentimes I think there's an approach and people are kind of interested because there's a financial reward and there's again a power reward. Like if you're working at that level with the government, you get privileges.
[37:20]
Steve Stone
Hacking is not a bad thing. In China. Companies have official hacking teams, every university does. And, and they look at us kind of as fools that we don't like. Why, why wouldn't you do this? You're the silly ones for not. You're identified early and you perform and you get into these tracks and those tracks matter for military service. They matter for private business, they matter for hacking. The really smart people that hack and then the really smart people that run tech companies or do tech projects, they're probably the same people because they're on the same tracks and they're being largely influenced by the same government apparatus in all of these aspects. We don't really have parallels for that. Imagine, imagine if you were writing a story where you found out that the head of this unicorn in San Francisco was actually also a hacker for the nsa. Like that would be front page on every paper in the world. That's kind of what happens over in China with these private groups.
[38:16]
Nicole Perleroth
As the US started naming and shaming China's hackers, they went underground. After our APT1 revelations, the PLA unit unplugged their entire hacking apparatus and fell off the map. Other Chinese apts started moving their operations from Chinese servers to servers here in the us. The welding shops, sadleries, even home routersprecisely where the NSA couldn't look. But of course, even then, the hacking didn't stop, not by a long shot. The target list only expanded. There were loud calls for the firing of the top administrator at the Office of Personnel Management after it was revealed.
[39:00]
Steve Stone
The hack of government computers is five.
[39:03]
Nicole Perleroth
Times worse than previously reported.
[39:05]
Ben Santeris
We've got breaking news coming in right now on the hack of the government's.
[39:08]
Nicole Perleroth
Office of Personnel Management. In the last hour and a half over, PM announced that as many as.
[39:13]
Ben Santeris
25 million people may be affected by the breach.
[39:16]
Nicole Perleroth
American's personal data was now in the crosshairs. So that old calculus.
[39:22]
Kevin Mandia
There was always this sense of, look, it's a trade. We know they steal from us, but we get a lot of money out of China. So right now the trade works in our favor.
[39:31]
Nicole Perleroth
It no longer applied.
[39:36]
Kevin Mandia
I raised once again our very serious.
[39:38]
Ben Santeris
Good concerns about growing cyber threats to American companies and American citizens.
[39:43]
Steve Stone
I indicated that it has to stop.
[39:46]
Nicole Perleroth
That's next on To Catch A Thief. Follow To Catch a Thief to make sure you don't miss the next episode. And if you like what you hear, rate and review the show. To Catch a Thief is produced by Rubric in partnership with Pod People, with special thanks to Julia Lee. It was written and produced by me, Nicole Perleroth and Rebecca Chasson. Additional thanks to Hannah Petterson, Sam Gabauer and Amy Machado. Editing and sound design by Morgan Foose and Carter Wogan.