Ep 6: The Gunslingers

Nicole Perleroth

For 18 months, a fragile calm descended on our digital borders. The CCP's hackers seem to have just hung up their hats. And for a time, that giant whooshing noise of American IP being sucked back to China just stopped. All was quiet on the Eastern front. Or so we thought. In retrospect, it appears the PRC carefully studied the Snowden documents, got a look at the NSA signals intelligence, and asked, how do we get that? Within months of the first leaks, she set up a Standing Cyber Committee, one of a handful of committees that operates at the highest levels of the Chinese Communist Party. Looking back now, it seems he charged it with mirroring and innovating upon the way the US conducts its cyber operations. During its digital ceasefire, the PRC was actually busy consolidating disparate PLA hacking units under a new strategic support force very similar to the Pentagon's own Cyber Command. It moved responsibility for the country's most sensitive operations away from the smash and grab PLA to the stealthier and far more strategic Ministry of State Security, or mss. Think of the MSS as a sort of combination of the FBI and nsa. It conducts espionage at home and abroad. But unlike the nsa, the MSS outsourced its sensitive operations to elite Chinese hackers all over the country. It set up front companies that usually marketed themselves as cybersecurity firms. But in reality, their only job was to carry out clandestine attacks for the mss. In other cases, they paid or forcefully encouraged individual gunslingers, think top engineers at China's most successful tech companies or students at its universities, to hack the world's most valuable targets. This infusion of new blood, new talent into the hacking pool meant more than just a shift in the chain of command. It meant a radical advance in skill and tactics. I'm Nicole Perlerath, and this is to catch a thief. These hackers were no longer blasting into the building and announcing their presence. Here's John Holtquist, Mandiant's chief analyst.

John Holtquist

They are now far more focused on their operational security, laying low, making it much more harder for us to attribute them.

Nicole Perleroth

Before 2015, attributing Chinese APTs by their attack style, whether phishing tactics or their malware, was a fairly straightforward practice. Rarely would you see a Chinese apt deploy advanced techniques or custom code. They barely tried to hide their tracks. By late 2016, it was a different story. Here's Kevin Mandia.

Kevin Mandia

We used to be able to bucketize the forensics, Nicole, into very few groups out of China. And then all of a sudden, we get an explosion that's really it where the forensic evidence of each intrusion doesn't feel related to any other intrusion or it's just different enough that we're like, ah, we're not quite sure if it's the same people. There's just a dramatic increase in the volume of change, the pace of change on offense.

Nicole Perleroth

The first sign the game had changed is when I started getting tips about a spate of Chinese intrusions at aviation and aerospace companies in late 2016. Hackers weren't coming in the usual ways anymore. Instead of hacking their targets head on, they were slipping in through a side door. They'd hacked the service providers that companies hire to manage their backend IT systems. In industry parlance, these companies are known as MSPs, managed service providers. Breach one and you get entry to potentially thousands of their customers. Some of these MSPs had names you've never heard of, but others like IBM, you would definitely know. And the Chinese hackers doing this, they weren't one group working from one drab PLA building anymore. This was a coordinated surge by disparate elite hackers. And unlike the pla, these hackers weren't getting paid by the hour, they were getting paid by the outcome. Incident responders started getting frantic calls from MSPs all over the world seeking help. And these weren't just in the US. These were MSPs in Japan, South Korea, Thailand, all across Europe, Canada, the uk, South Africa, Australia. They had all been popped in a campaign that they'd go on to call Operation Cloud Hopper. Because hackers would hop from these MSPs into their customer networks at some of the world's leading pharmaceuticals, engineering, retail, manufacturing, telecom, aerospace and satellite technology makers. They took Rio Tinto's prospecting secrets and sensitive health research from Philips. They took more than 100,000 detailed personnel records from the U.S. navy. They even managed to slip into NASA's Jet Propulsion Lab. With the first Trump administration's trade war as a backdrop, they were back to hacking trade secrets with a vengeance. Here's Steve Stone, who lived and breathed this transition.

Steve Stone

The first love of mine in this was APT4. Most of my early times were really against APT4, which is largely publicly attributed to the People's Liberation Army. And they were exactly that. They were the checklist group, which I actually loved. They were going off a checklist. They did not seem very technically advanced. And once we kind of learned the checklist, you could predict where their errors were going to be. Because it was an error in the checklist, they would hit the Same glitches over and over again, and we were able to really understand that. And so I was very used to these PLA groups and I thought I had this all kind of worked out. And then we saw a very specific victim go through an initial compromise in a time span that I had never seen before. They moved through a layered network defense with some really novel technical countermeasures with virtually no problem. So right off the bat we're like, they're problem solving on the fly. And that's incredibly impressive. And then the other thing that really impressed me was they were really able to go after only what they needed to. They were only highly skilled when they absolutely needed to. And that ability to make that decision was the first really, I hate to say red flag, but the first big warning like the game has changed.

Nicole Perleroth

These new hackers were meticulous digital ninjas. Working with a laser like precision, they took great pains to cover their tracks, encrypting their traffic, deleting log files and other digital crumbs, and burrowing in so deeply that even when victims wiped and rebooted their machines, these Chinese hackers found a way to remain. But occasionally, they just couldn't help themselves. At one point, they registered a hacking domain as nsamifound.com they were messing with us. Years later, we'd learned just how little they cared about getting caught in 2024, someone we still don't even know who doxxed a mid level Chinese hacker for hire contract shop called Isoon. Among the leaks were transcripts of Hackers Group chats they'd been messaging about who had been named in a US indictment of 8APT41, their hacking unit. But they weren't concerned. They were celebrating. The chats showed hackers promising to buy their colleagues 41 shots at the next rager. But for the most part, these MSS hackers laid low and were light years ahead of their predecessors. When I'd interview the people charged with responding to these attacks, I couldn't help but notice that they were impressed.

Steve Stone

It wasn't that they were always amazing, it's that they could be very low level and then a split second go all the way to the top of a technology stack and then immediately scale back down. They knew they did not want to reveal their wizardry and they knew they had it, and so they were able to really pay attention to that. And that to me was the thing that was most impressive versus like a particular technical exploit. It was the ability to know we're going to do magic right here and we're going to limit how much magic we do because we don't want to reveal that compared to like the PLA units which were like, we're just going to do what we do and if you see us doing it, we kind of don't care because we're going to be here anyway. And that made the the gunslingers incredibly hard to get out because we never knew what they were capable of. We never really fully had confidence in their skill set because we don't think we ever really got to see it.

Nicole Perleroth

Which brings us to zero days.

Kevin Mandia

You know, cyber exploits that have no patch, that's what a zero day is. There's just no way to stop those attacks from working.

Nicole Perleroth

A word on zero days. In essence, zero days are holes in the foundation of a system. Holes developer missed. For simplicity's sake here, let's just say I'm a hacker. I find a programming mistake in your iPhone's iOS software. It could be as simple as a misplaced zero or a missing hyphen. Just something that Apple's programmers missed. That's a zero day. It's called that because once it's found, programmers have had zero days to fix it. Now, let's say I'm a hacker who can write a program to actually exploit that zero day to do things like read your text messages, track your location, spy on your phone calls. That's a zero day exploit. Really. It's an invisible ankle bracelet. So you can see the immense value a single zero day exploit would have for a spy agency. And indeed, there is an entire classified gray market for zero days where hackers routinely sell their zero day exploits to governments or brokers for hundreds of thousands, sometimes millions of dollars. The going rate for that zero day exploit I just described in your iPhone, right now, at this very minute, a Saudi broker is offering three and a half million dollars for it. And if it's really good, so good the target wouldn't have to so much as click to get infected. That same broker will pay you $9 million. And if this market sounds titillating, I get it. I spent seven years investigating the zero day market for my book this is how they tell me the world ends. You should read it. But for now, what you need to know is that before 2015, it was incredibly rare that you would find a zero day in a Chinese Apt attack. Google's Aurora hackers used a Microsoft zero day to break in, but that was an exception. Finding and exploring exploiting zero days is incredibly difficult. It can take months, years even, to hone A flawless zero day. And even if you can manage that, rarely would you actually use it. There's a saying in the intelligence world, you use it, you lose it. Nobody is willing to risk burning a multi million dollar zero day when they can just as easily break in through a rudimentary phishing attack. In fact, when my book came out in 2021, I got a ton of flack from industry critics who said, nicole, why'd you focus so heavily on the zero day market when the vast majority of these attacks start with phishing? And to be fair, they had a good point. But even I was surprised when that same year a record number of 00 days cropped up. The most serious of them in Chinese Cyber attacks.

Kevin Mandia

We had 32 zero days in 2019 exploited in the wild. To me, that was a world record. I'm like, we've been tracking this since the 90s. 32 in a year was mind blowing. And then all of a sudden we hit 81 in 21. And I'm like, wow, the world's different now. And this is seven times what you'd see in 2010. You know, I mean, it's just. That tells you the art of the game right now that people are finding exploitable code at rates higher than ever before and using it in the wild. Because our numbers, Nicole, are what we assume. If we see it, we see it, we're responding to a breach. There's the zero day. And we're seeing that even into today. You know, more zero days than ever before. Makes no, no sense to me when code was way less secure 30 years ago, 20 years ago, and 10 years ago than it is today. So we're building the most secure code we've ever built before, and yet there's more zero days than ever before.

Steve Stone

We used to. And this, this sounds very bad now, but we used to actually, like you would know all the OD used by Chinese groups. There just weren't that many. You could, A really smart analyst could tell you all of them. And now, like, I couldn't tell you the ones they've used this month.

Nicole Perleroth

So there's clearly been a sea change here. But tell me what it looked like from your vantage point.

Steve Stone

There just. There's a whole different clip. So it's not like a group figured it out or the military didn't. That probably only happened because there's some kind of real direction. There's a real. Your use of sea change is perfect. I think there's a real sea change. And in China, that only happens from the Top down.

Nicole Perleroth

The top down, really. In retrospect, what the CCP took from Washington's threats and the naming and shaming campaign wasn't to stop hacking, but to move it underground. And zero days offered the perfect cover. When nobody knows about the existence of your secret tunnel, you can move in and out as you please. And part of the reason the CCP was suddenly so willing to burn so many zero days is that they had plenty of them to burn. And how they acquired their stash is just another window into the advantage authoritarians have in the digital realm. You see, here in the west, intelligence agencies have to develop 0 days in house or pay 6, 7 figures to procure them from hackers on the gray market. That's not the case in China, where the CCP can simply force hackers to turn them over for free. And that's exactly what happened. Beijing started hoarding its own zero days, eliminating any above or below ground market for them. In China, authorities abruptly shuttered China's best known platform for reporting. Reporting zero days. They arrested its founder, and they started forcing China's hackers to turn over their best finds. Here's Jim Lewis, longtime liaison on all things China.

Jim Lewis

Chinese hackers complain to me, it's like we, we, we could make a lot of money selling this stuff and instead we have to give it to the government. And they're invited to drink tea at the local cop shop, come down and drink tea. And it suggested to them that it's their patriotic duty to give Uncle Xi their hacking tools for free or even to work for Uncle Xi. But part of it goes back to this Chinese paranoia. The Chinese hacked the West. They also hacked each other. And so if you went to a big Chinese company, they would complain about being hacked by the Chinese. And there's a desire to get that under control. There's a desire to get control of what the Chinese would call the information space. And so putting the hackers on a leash was part of a larger effort to get control of the information space.

Nicole Perleroth

And just so there was no ambiguity here, the CCP formalized this practice into law, banning the unauthorized disclosure of vulnerabilities. These laws forced Chinese citizens to, to give the state right of first refusal on any zero day they found. Over the previous five years, I'd watched Chinese hacking teams dominate the big annual hacking competitions. But after these laws passed, they stopped showing up on state's orders if they wanted to attend an international hacking competition. Now they had to apply for a waiver with the Chinese police. But they were welcome to compete at hacking competitions inside China, albeit with a new sponsor, the Ministry of State Security. China's hackers had been forced into conscription and penalties for non compliance were severe. I'm kicking us off with Alibaba on deck now. Baba actually dropping today as Reuters reports the tech giant is cutting a third of its deals team as Chinese lawmakers step up their scrutiny. That's according to Reuters. The stock, as you can see, they're down about 5%. In December 2021, a Chinese security engineer at Alibaba went rogue. He disclosed a serious zero day that would have proved mighty useful to Chinese spies. What that Alibaba engineer found was a zero day in an open source library called log4j. Here's Jenny Stirly, formerly the director of the US Cyber Defense Agency CISA.

Jen Easterly

The log4j vulnerability is the most serious vulnerability that I have seen in my decades long career. Everyone should assume that they are exposed and vulnerable now.

Nicole Perleroth

This vulnerability became public last week when everyone found out about it. But it actually dates back to 2013 when this flaw was introduced into open source software that was then copied in millions of other places and has now sort of gone viral in a software sense. Log4j was used in millions of applications. In terms of severity, this was a 10 out of 10. Hair on fire, drop everything and find a patch situation. Using this zero day, you could take full remote control of potentially millions of systems around the world. For cybercriminals, that meant you could have used it to steal banking credentials or deployed ransomware on God knows how many systems. For spies, it would have made the digital world their oyster in cybersecurity circles. What that Alibaba engineer did was heroic, but for Beijing, it was a slap in the face. And they made his employer pay a steep price, suspending Alibaba's government contracts for six months, just long enough to send its stock into free fall and send a clear message to every Chinese hacker and their employer. Play by state rules or prepare to go through some things. By 2019, we caught glimpses of where all these zero days were going. That year, security researchers discovered a Chinese hacking operation that was as slick as any I'd seen. Just as a lion waits for its prey to come to water, Chinese hackers had pulled off what's known as a watering hole attack. They'd infected a slew of Uyghur websites with a string of zero day exploits. Anyone who navigated to these websites would have been immediately infected with spyware that turned their iPhone or Android phone into a CCP portal. These were Zero days that on the gray market would have easily fetched $10 million. But Beijing was now getting them for free. And not long after they turned up on Uyghur phones, researchers discovered a parallel effort hacking Tibetans and then Chinese activists, the five Poisons. But inevitably, they turned up here against us. China's zero days started popping up in our most widely used technology. At one point, researchers uncovered a string of zero days in a Microsoft Exchange email system. Used by everyone from US Military contractors, state and local governments to small businesses. These zero days allowed Chinese hackers to invisibly read emails. Once those zero days were discovered, Microsoft raced to put out a patch. But this time, China's hackers didn't give up. They ratcheted their attack up several notches. 10 of its elite hacking divisions started firing the zero days and backdoors at thousands. We're talking tens, hundreds of thousands of systems that let them, and really anyone who now knew how to scan for them, zero day and back door, come back at any time and do whatever they pleased. I remember calling you the day that was discovered and saying, my usual help. And you said that they were exploiting these systems within an aggression that you hadn't seen before.

John Holtquist

Yeah.

Nicole Perleroth

And. Well, tell us what it looked like and why it was the most aggressive operation you'd seen from China.

John Holtquist

1. It was sort of a direct path to the crown jewels for a lot of organizations. So if they use this right, they don't necessarily have to make their way through the network and do a lot of other activity because they can go straight in to where you are, you know, storing a lot of your intellectual property and intelligence related information. Right. Or this stuff. It was sort of like a beeline to the heart of the problem. But the other thing that was interesting is that there was a patch issued and what we saw was a sudden global spray of the zero day across many, many targets, as many targets as they could get their hands on. And they were essentially leaving a backdoor, like a foothold in these systems so that they could revisit when they had enough time. And that was one of the most reckless and globally significant attacks I've ever seen, because you essentially left a door open on millions of systems. The other interesting thing about that zero day is from a criminal perspective, it had tremendous criminal viability because you can leverage access to the exchange servers to deploy ransomware. You can just steal a bunch of valuable stuff and extort people for that. Right. So again, you have, you've got a beeline to highly valuable information that you can monetize. And so this was a sudden crisis, not just from the original users, but any potential follow on users. And we had to essentially make sure that people were moving really quickly on patching and raise that alarm. I've never even seen like the alarm raised like that in any other situation I can't think of.

Nicole Perleroth

That was John Holtquist. Now, it's easy to get lost in the technicality here, but really it's hard to overstate the magnitude of this attack. In the real world, it would be like spies or mercenaries robbing thousands of American homes and dousing them with fuel on the way out so that any digital arsonist with a match could come back at any time and burn it all down. The situation was so dire that the Justice Department did something it had never done before, authorizing one of the broadest FBI search warrants on record. The warrant gave the FBI the ability to covertly go into any infected exchange system, patch it, and remove China's backdoor. Now, it's important to note here that this was a tad controversial and there were many who screamed government overreach. But given the severity of China's attack, the potential for mass disruption, most privacy activists seem, seem to give the government a pass. And that attack, I'm sorry to say, was just the opening salvo. Here's Kevin Mandia.

Kevin Mandia

China's brought the A game and they've changed. And usually when you see these kind of shift changes on offense, oh, their doctrine's changing. Something's changing over there. All I know is somebody made a decision to up them a notch. And we have a gradual incrementalism of aggression on offense out of China over the last few years. And it's going up every, every year.

Nicole Perleroth

They're no longer the most polite player in cyber.

Kevin Mandia

Their techniques are far more innovative and improved than even three years ago. China is the winner in innovation, and you see what happens when they win. You get 750 days in a year.

Nicole Perleroth

So far, we've trained our eye across the Pacific. But as all this was going on, there was arguably a far more sinister disturbance in the digital world order. One that experts in industry and classified government skiffs were watching with horror.

Steve Stone

Officials are investigating if hackers carried out.

Nicole Perleroth

A note nightmare scenario taking down a power grid. The CIA and security firms are investigating whether Russia is behind the cyber attack on a power grid in Ukraine. Russian hackers are stepping up attacks on behalf of the Putin regime. When digital historians look back, there's no doubt that December 23, 2015 will go down as the day everything changes changed. That day, just ahead of Christmas Eve, Russian hackers crossed the digital Rubicon, shutting off power to Western Ukraine. And for good measure, they shut down emergency phone lines, too. The power wasn't out long in Ukraine, less than six hours. But it was just long enough to send a message. We can shut you down at any, any time of our choosing. They followed it up one year later with a second cyber attack on Ukraine's power grid. Only this time, they shut off power to the nation's heart, Kiev, in a display that made the White House wince. Until that point, covering these attacks was like watching an international game of chicken. With every new attack you watch, spy agents is pushing, pushing, testing for that red line that never came. But Russia's twin attacks on Ukraine's grid changed the whole game. This careful gentleman's game of spy versus spy had come to an abrupt end. We were no longer in the gray zone. We'd entered the red zone. Looking back on Russia's twin attacks on Ukraine's grid and some of the attacks that followed, it's a little like reading the tea leaves. Maybe if we'd spent more time connecting the dots, we could have foreseen Putin's 2022 military invasion earlier, Certainly in Beijing, officials watched Russia's cyberattacks and the absence of any serious international response with keen interest. Here's Jen Easterly again, who led the U.S. cyber Defense Agency CISA under Biden.

Jen Easterly

And to your point on Ukraine, I would just comment that I think we all need to recognize that the defense of Ukraine is the deterrence of China. China is watching very closely whether we end up just giving up on Ukraine because it sends a message to what our political will would be in the event of an invasion or a blockade of Taiwan.

Nicole Perleroth

But China had already been laying the blueprints for their own attack. Most people just missed it.

Jen Easterly

But I think if you go to what the Chinese themselves have said, what is in their doctrine, it's pretty clear that the strategy is about holding US critical infrastructure at risk in order to deter our ability to marshal military might and citizen will. So this is really about inducing societal panic and chaos. And that would be the result of water systems being polluted or inaccessible, transportation lines being derailed, communication systems being severed, pipelines exploding.

Steve Stone

If they're willing to sink US Aircraft carriers, then they're going to be willing to turn off U.S. energy supplies and pipelines and refineries and go after factories.

Unnamed Expert

So in my estimation, I think much of what we may see in a Taiwan environment from The PRC is inside Taiwan very much a intel gathering, maybe disruption of services to support sort of military activity, along with disinformation and misinformation in all of those avenues. I think the thing that is fundamentally different here that we are most concerned about is the implications for the US Homeland. And that I think is something that we didn't see. We were certainly concerned about in Russia, Ukraine, you know, since I had the Shields up initiative, we were doing all kinds of messaging from the White House while I was there to make sure that everyone was taking the potential risk seriously. I think similarly, that's where we're at today in thinking about the PRC issue with the one difference which is we know that they're on critical infrastructure today. We see it in the transportation sector, we see it in the water sector, we see it in the communications sector, we see it in the energy sector. And the worst day is an everything everywhere all at once scenario that all of a sudden some other factor or thing happened in the environment. And all of a sudden we see disruption in multiple sectors simultaneously with services to the American public going out the.

Nicole Perleroth

Everything everywhere all at once cyber attack. That's in two weeks. On the next To Catch a Thief Follow To Catch a Thief to make sure you don't miss the next episode and if you like what you hear, rate and review the show. To Catch a Thief is produced by Rubric in partnership with Pod People, with special thanks to Julia Lee. It was written and produced by me, Nicole Perleroth and Rebecca Chasson. Additional thanks to Hannah Pedersen, Sam Gabauer and Amy Machado. Editing and sound design by Morgan Foose and Carter Wogan.