88. China vs Google: When Beijing Took on Silicon Valley (Ep 1)
This episode is the origin story of state-sponsored cyber espionage. It's the moment Google was hacked by a foreign state, and for the first time, publicly pointed the finger at who they believed was responsible: China. The attack was a canary in the coal mine for the world of Chinese cyber attacks and espionage we know today.
Join Gordon and David as they tell the story of how an act of cyber espionage descended into a debate about the complex equations between money and freedom of speech for Western companies operating in China.
-------------------
Join The Declassified Club: Start your free trial at therestisclassified.com - go deeper into the world of espionage with exclusive Q&As, interviews with top intelligence insiders, quarterly livestreams, ad-free listening, early access to episodes and live show tickets, and weekly deep dives into original spy stories. Members also get curated reading lists, special book discounts, prize draws, and access to our private chat community.
To sign up to the free newsletter, go to: https://mailchi.mp/goalhanger.com/tric-free-newsletter-sign-up
-------------------
Order a signed edition of Gordon's latest book, The Spy in the Archive, via this link.
Order a signed edition of David's latest book, The Seventh Floor, via this link.
-------------------
Email: classified@goalhanger.com
Twitter: @triclassified
Social Producer: Emma Jackson
Producer: Becki Hills
Senior Producer: Dom Johnson
Exec Producer: Tony Pastor
Learn more about your ad choices. Visit podcastchoices.com/adchoices
Listen and follow along
Transcript
For exclusive interviews, bonus episodes, ad-free listening, early access to series, first look at live show tickets, a weekly newsletter, and discounted books, join the Declassified Club at the RestIsClassified.com.
You're deep into your favorite true crime binge.
The twist, the theories, and suddenly, hunger hits.
Grab a Paleo Valley 100% grass-fed beef stick.
These aren't your average gas station snacks.
They're made from real beef sourced from regenerative, small American family farms.
No preservatives, no gluten, no grains, soy, or sugar.
Just naturally fermented protein that fuels your obsession.
Whether you're road tripping, hiking, or pulling an all-nighter with your favorite case.
Choose from five bold flavors, original, jalapeno, summer sausage, garlic summer sausage, and teriyaki.
They're keto, paleo, and carnivore-friendly, made to work with your lifestyle, not against it.
With over 55 million sticks sold and a 60-day money-back guarantee, you've got nothing to lose.
Get 15% on your first order at paleovalley.com.
Just use code Paleo at checkout.
This podcast is brought to you by Carvana.
Carvana makes car selling fast and easy from start to finish.
Enter your license plate or VIN and get a real offer in seconds, down to the penny.
If you accept, Carvana will come pick up your car from your driveway, or you can drop it off at one of our car vending machines.
Either way, you get paid instantly.
It's fast, transparent, and 100% online.
Car selling that saves your time.
That's Carvana.
Carvana.
Pickup fees may apply.
There's a simple way to keep all those teams that are making content from going off-brand.
Meet Adobe Express.
The quick and easy app to create on-brand content.
Now everyone can make presentations, posts, videos, and flyers that follow design guidelines.
Brand kits with pre-approved assets and lockable templates make it easy.
Generative AI features powered by Firefly are safe for business, so people in marketing, HR, and sales can confidently create content on their own.
Learn more at adobe.com slash express.
Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis.
In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.
However, it soon became clear that what at first appeared to be solely a security incident, albeit a significant one, was something quite different.
We have taken the unusual step of sharing information about these attacks with a broad audience, not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech.
Well, welcome to the Rest is Classified.
I am David McCloskey.
And I'm Gordon Carrera.
And that was a statement not by a spy, Gordon, or an intelligence officer, but by Google's chief legal officer, issued on the 12th of January, 2010.
And that statement is about a
hack, a cyber attack conducted by China against Google.
It's come to be known as Aurora.
It's a story about cyber espionage that sort of plays into a bigger battle about the world's biggest country and one of America's biggest corporations.
Yeah, that's right.
I mean, the idea of states like China, North Korea, Russia hacking companies isn't such a big surprise these days.
But in many ways, this is the origin story.
This is where it all began.
The idea of states versus companies.
It's also the first big cybersecurity story about a hack that I remember making the evening news because it was a big deal because it escalated into the world of politics.
It was the first time, you know, a big company admitted it had been hacked.
And not just any company, but one everyone's heard of, Google.
And crucially, Google are going to point the finger at who they say was responsible for this hack.
So it's going to be the canary in the coal mine, really, for the world of Chinese cyber attacks and cyber espionage that we hear so much about today.
Aaron Powell, and it's also, I mean, because you have a corporation pointing a finger, as it were, at the state responsible for the attack,
it also, I think, is a story that gets pretty political pretty quickly.
I mean, this is a story that will feature characters like Secretary of State Hillary Clinton, Paul Bureau members in Beijing, and the founders of Google itself in kind of this swirl of politics and cyber attacks and espionage that all jammed together.
It's also really hard, Cordon, for me, to remember a time when it wasn't common to have state-sponsored cyber attacks.
And yet this is not actually that long ago.
We're talking about a 15-year span.
It's remarkable how far we've come since this kind of origin story of state-sponsored cyber espionage.
Yeah, I think that's absolutely right.
In a way, it's familiar, but also from a slightly different era.
I think it's because it is the dawn of that era, and it's about cyber espionage against companies, but also, as we'll see, against dissidents.
So there is an element of this, which really is about, if you like, traditional spying, but it also gets into issues of freedom of speech.
How far do companies have values about freedom of speech?
How far are they going to fight for those?
What are the kind of complex equations between money and freedom of speech which come up?
And yeah, it gets to the big geopolitical questions about about technology in China and the West and who runs, who owns the technology which we all depend on.
All big issues today.
Maybe that's a good place to start, Gordon, which is setting the scene with China and the internet, because those are going to be two massive threads in this story.
By 2010, the surveillance state that we now see in China was certainly on its way to being constructed, but was nowhere near sort of what it has become today.
Yeah, I think that's another thing we have to get into our heads, a slightly different China in 2010 and a different way people thought about China.
It wasn't yet the China of Xi Jinping and the kind of confrontation of today.
And so the relationship between China and the West and China and the internet is a bit different.
I mean, when it comes to the internet, first email from China went over an academic network back in 1987.
Across the Great Wall, we can reach every corner of the world, it announced.
Sounds like something a spy service would send.
But I think it was meant as a kind of in the days of the the internet being an academic thing.
The internet was less, was less evil back in the 80s, right?
I mean,
it was a more innocent time.
Definitely.
But then, so that was 87, the first Chinese email.
But two years later, you get Tiananmen Square.
And that is, of course, a moment when there are pro-democracy students in the center of Beijing calling for greater freedom in China, and they are going to get crushed, literally crushed by Chinese People's Liberation Army, PLA, tanks, and killed by troops.
And it is the pivotal moment in China in recent decades because the regime becomes obsessed with threats to internal stability and that dissenters, critics could be trying to overthrow the regime.
And so then you get this idea, the fear growing in China that the internet is a western Trojan horse.
It's something that's going to be brought into their country, the internet, and it's going to subvert the country by promoting free speech, political change, Western ideas.
And so they're going to do their best to stop that happening.
And that's probably true, right?
That seems like a reasonable fear, you know, for an authoritarian political system, the internet, open communication that will undermine your political power.
Yeah, and you can actually hear it from Western leaders at the time.
If you go back to the kind of Bill Clinton Al Gore days in the 1990s, they talked about how the Internet, as part of the forces of globalization, was going to bring reform and democratization to lots of countries and of course if you're the communist regime in beijing you're like not sure not sure how we feel about that
so they're going to build what becomes called the great firewall of china to deal with this threat from the internet.
Interestingly enough, some Western companies help give them the technology, but it's basically border control for the internet.
Rather than someone checking your passport, it's checking what internet traffic is coming into the country.
And means if you went into china in this period and searched for tiananmen square you'd get nothing if you looked for certain websites they'd be blocked i mean i remember being in china i mean as late as 2013 and suddenly the tv news would just suddenly stop because it was something that was considered sensitive in china so they're going to these efforts to block what they see as subversive material getting in.
And they're very conscious that America and the West dominates the internet.
I I mean, you know, another story that I remember people in China telling me was that there's this moment in 2004 where they got a fright about their dependence on Western technology.
And that was because Microsoft was trying to clamp down on pirated versions of the Windows operating system.
And lots of people had pirated copies, sold them illegally, and were using them.
So Microsoft came up with this idea, which was anyone who's operating an unlicensed version, their screen would kind of go black and a message would appear saying you're running a pirated copy.
The problem in China was that literally everyone, including every government department, was using a pirated copy of Windows.
And so suddenly there is this moment where all the screens in government departments everywhere in China go black with this message going, you're running a pirated copy of Windows.
So you can see why, if you're in China, you suddenly go, hang on a sec, a Western company just effectively showed that they have the ability to turn us off.
You can see why that's pretty scary.
This is going to be a story about cyber espionage, but it's really a story about how the Chinese can sort of
use
the internet, use the tools of this digital domain to control their own population, right?
So even as that spreads sort of beyond its borders, thinking about China's relationship with Microsoft or as we'll talk about with Google, it's really an inward-looking set of interests, isn't it?
That is driving a lot of these concerns and driving a lot of the external behavior is this kind of like, how does this affect us in China?
I think that's absolutely right.
If you look at China's intelligence posture and everything it does, its primary concern is about domestic stability.
So, you know, they're going to start to kind of worry about Western technology.
They're going to say to Microsoft, well, if you're going to operate in this country, then you have to share some of your source code, which Microsoft will do at special centers.
Other countries that want to go into business and sell in China, like Apple, you know, have to comply with Chinese laws.
So, but of course, Western companies at the same time are desperate to get into the Chinese market.
I mean, it doesn't take a genius to work out why.
Western companies are so interested in getting into the Chinese market.
It's big.
It's a giant market.
That's right.
And most Western companies, I have the sense, whether they did it quickly or whether they sort of hemmed in hard, were ultimately willing to concede to the kind of concerns or stipulations that the Chinese government had about what they'd have to do to get access to the market, right?
I mean, most U.S.
companies, international companies, were more than willing to do that because they have an obligation to shareholders to earn money and to make profits.
And that's why they exist.
Yeah.
And certain companies are excluded.
So social media companies are never kind of allowed in your Twitters, your X's, things like that, effectively.
But Google is a really, really interesting case.
And it's at the heart of our story.
So Google, founded in a garage famously in 1998 by Larry Page and Sergey Brin.
Just like our podcast founding story, right, Gordon?
Yeah, founded in a garage.
I don't think we've yet to become billionaires, though.
Not yet, but we got the garage bit down.
Yep.
So it's founded as a search engine in the late 90s.
It's been growing.
2004, crucially, again, for this story, they're going to launch Gmail, the kind of mail service.
And these are, hard to remember, more optimistic days of the internet, as you said earlier.
Google's mission statement is to organize the world's information and make it universally accessible and useful.
And the company also has a more informal motto, which is don't be evil, which I thought was the CIA's motto, actually.
But
Google maybe got it from there.
That's the unofficial motto of the CIA as well.
Yeah.
And sometimes we struggle with it, Gordon.
Sometimes we struggle.
It goes back to the Snowden world, doesn't it?
And it's that era of internet idealism, of which Snowden was a kind of extreme proponent.
But it is that idea that the internet is going to provide a free flow of information, it's going to liberate people, including those under more repressive regimes.
It's going to be a force for good and for freedom.
So Google starts looking at entering the Chinese market around 2005.
And so you get a very complicated debate in the company itself about how far it should or shouldn't operate in China, because China, as we heard with the Great Firewall, censors information.
And so there are tensions.
Now, Sergei Brin, one of the founders, is an interesting figure here because he had actually been born in the Soviet Union.
His father, who'd been an academic, had tried to emigrate at one point, had been denied a visa.
They'd had the police come to their house.
They'd had surveillance on them, the KGB, all those things.
He's grown up with this kind of awareness of what a repressive society looks like.
Eventually, the family emigrate, I think, when Sergei Brin is six, and he ends up eventually in California and starting Google.
But it does leave him with that legacy of kind of a different perception of it.
When you get that debate within the company, I think he is on the more cautious end about going into China.
But others are saying, well, hang on a sec.
This is our mission, is to make information accessible, including to people in China, even if you have to make compromises.
And I guess it does seem particularly hard for like a search company as opposed to, I mean, if you're providing widgets into the Chinese market, or if you're Apple and you're, you know, you want to sell phones, like, I guess in theory, it's easier to make some compromises.
in China to get access to the market than if literally your company's sort of whole purpose is to provide open information, right?
I mean, social media sites, search companies like Google, it seems like that tension would be far greater.
I think that's right.
It is a different China.
It's a China before Xi Jinping.
It's a China where you can believe it is opening up.
And we look at it now in hindsight where we know it's become a responsible stakeholder.
Wasn't that the term used in sort of the late 90s, early 2000s that we will sort of ensnare the Chinese in a thicket of commercial relationships and international organizations and political ties.
And eventually the nature of the regime will change a bit.
Oops.
How did that work out?
Anyway,
at the time, let's go back to kind of the mid-2000s.
There's a compromise.
So Google gets a license to create google.cn.
So that's the Chinese version.
But it's going to abide by the requirement to censor certain search results.
It says it will do that according to Chinese law, but it will put up a disclosure notice saying when it's done that, and it's going to host an uncensored US hosted site.
Seems like the Chinese government would not appreciate that very much to have the disclaimer and then literally the link to go to the other site.
And so this tension.
From 2007, you start to get the censorship requests coming in.
Now, some are the kind of stuff you see everywhere, including, you know, in the UK and elsewhere, pornography, illegal activities, but there's also kind of requests for political information to be removed.
Things like Tibet, things like Tiananmen Square.
In all, about 1% of search results are blocked.
2008 though, Olympics in Beijing and things get more tense because the Chinese government is pushing for more censorship because they're worried about protests.
US executives are unhappy about this in Google, but they think maybe it's temporary for the Olympics, but it doesn't end after the Games.
And more and more search terms, more and more content requests, often embarrassing stories about officials are the things that are getting asked to take to get taken down.
It's like a big row in 2009, apparently after one Politburo standing committee member in charge of propaganda discovered that if he entered his own name into Google, a raft of critical results turned up.
And he was like, something must be done about this.
You should get used to it.
Anyone these days who Googles themselves, you're just asking for trouble.
You are.
You are.
But this is, again, this is early days, you know, and this is probably, I would imagine most Chinese officials were not used to putting their names into open sort of databases and getting back a whole bunch of nasty, nasty reviews of
their political activities.
I mean, I guess you see kind of a push and pull and maybe more and more tension building then in the relationship between China and Google.
So I guess this brings us, Gordon, to mid-December of 2009.
And it brings us to the Google plex, as it were.
Google's headquarters in Mountain View, California.
It's December 14th, 2009.
Let's see.
Young McCloskey Gordon is feverishly working inside the bowels of Langley somewhere.
Just for context, Gordon Carrera, what's young Gordon Carrera doing in mid-2009?
Very young Gordon Carrera.
Very young.
He's working in the BBC then at that time.
I think probably in West London, but not in an office like the Google Plex.
I'll read this.
lovely and colorful description of the Google Plex and you can tell me how similar it was to BBC headquarters.
So the Google Plex was known for its playful and unconventional design elements, including a T-Rex skeleton named Stan, a giant rubber duck, and a variety of colorful, quirky decorations.
Employees enjoyed a range of amenities, such as free laundry facilities, two swimming pools, volleyball courts, and numerous cafeterias offering a variety of food options.
Maybe you only had one swimming pool at the BBC, Gordon.
It was volleyball, then a swim, then some free food in the cafeteria, and then to my desk for a little bit of light work.
A little bit of light work,
sitting on
one of those giant balls.
Yeah, so you got the core workout
while you were working.
Yeah.
yeah while wearing sandals that was that was the that was the gordon career of 2000 that was the yeah but that is i think a fair reflection of life in the googleplex i'm sure langley was like that as well yeah so december 14th 2009 among the googlers because that's what they're called is a woman called heather adkins who's part of our story so she's managing a security team she's been at google already for uh seven years since 2002 so very early on in the company and one of those people who got into cyber security because she's kind of innately curious about how hackers work i've met her as well as being a cyber ninja the key thing you need to know about heather is she's a serious medieval historian who knows a lot about english churches and i once tried to kind of ask her about churches in part of england and i realized she knew like infinitely more than I did from my tiny bit of undergraduate medieval history and I was like oh okay but actually what's interesting is she will say there is a link between medieval medieval history and cyber I'm excited to hear it.
Which is, and it's a good, I think I buy this, which is studying medieval history is about taking fragments of information because only fragments have survived the past.
And then you have to kind of extrapolate out from those tiny details to build a picture of what was happening.
It's a kind of detective work, which is similar.
in a way to cybersecurity.
So I think that there is a link there.
But anyway, 2009, most of the work for the security team is dealing with criminals, stealing credit cards, and just kind of nuisance hackers who want to show they can take Google offline.
Four o'clock on this day, December the 14th, 2009.
She comes out of our last meeting, goes back to her desk.
There's lots of people from the security team huddled around a screen talking.
It's a hive of energy.
Hey, what's up?
She says, you'll never believe what we found.
And they found something on the Google network.
So inside the systems.
Now, who do they think it is at first?
They say, we've caught the interns doing naughty stuff.
That's the first reaction.
Yeah, that's
everyone's first reaction.
That's like, that's 99% of the problems.
Weren't you an intern at CIA once?
I mean, like, I'm getting a lot of people.
I was.
Yes, I was.
I mean, just a few years before this, I had been an intern at CIA.
Did you hack the CIA system?
No, no, that was frowned upon.
And
I was excited about the prospects of full-time employment.
And I felt like, in addition to not having the capabilities, that if I had attempted to hack anything at the agency, I might not have gotten a job.
So I was kind of, I was, I was very well behaved.
That's their first response is like, it's interns showing what they can do.
Because I guess that's the hacker culture.
Hackers famously are people who want to just show that they can mess with things and what they can do.
But they pretty quickly realize as they pull at some of the threads that it's much more serious.
It's not the interns.
It's not the interns.
Someone is inside their system doing things they certainly shouldn't be.
I mean, initially, someone from the security team, Tim Duen, thinks only one machine's compromising.
It gets worse.
The bad guys have got everywhere.
It's a massive breach of the corporate systems.
Basically, the hackers are in.
They're moving fast.
They're changing tactics.
They basically have never seen anything like this in Google, and they've got no playbook for how to deal with it.
All right, so there with the interns off the hook.
Let's take a break.
And when we come back, we will see how they point the finger at China.
See you after the break.
When evaluating potential hires for your small business, it's essential you look beyond resumes.
Sure, a candidate may appear impressive on paper, but understanding the person is crucial.
LinkedIn, the world's largest professional network, provides a complete view of your candidate's skills, experiences, and interests.
With LinkedIn's up-to-date data, you can be confident that you really know who you're hiring.
Post your free job at linkedin.com slash achieve.
That's linkedin.com slash achieve.
Terms and conditions apply.
Netflix has a new, monstrous story to tell.
In 1950s, Wisconsin, Ed Gein lived quietly on a decaying farm, hiding a house of horrors so gruesome it would redefine the American nightmare.
Driven by isolation, psychosis, and an all-consuming obsession with his mother, he committed crimes that would haunt Hollywood for decades.
The third and most harrowing installment of Ryan Murphy and Ian Brennan's anthology series.
Watch Monster the Ed Gein story, streaming now only on Netflix.
This episode is brought to you by Progressive Insurance.
Do you ever find yourself playing the budgeting game?
Well, with the name Your Price tool from Progressive, you can find options that fit your budget and potentially lower your bills.
Try it at Progressive.com.
Progressive Casualty Insurance Company and affiliates.
Price and coverage match limited by state law.
Not available in all states.
Welcome back.
The team at Google HQ, the Googleplex in Mountain View, California, has just realized they have a serious breach on their hands.
They now need to dig into this, Gordon, and find out who actually is responsible.
And maybe even most importantly, just how sort of deep this breach is into their systems.
Yeah, because they're realizing it's bad.
So Heather Adkins, who's running the security team, hands a list of machines that they think might have been compromised to other members of the team.
And they have to go physically pull the hard drives from across the Google campus.
And this is in the middle of the night, in the dark, in a rental car.
And they're running around with flashlights, grabbing machines, which they can then pull to do for forensics.
At first, they try to unscrew the hard drives, and then they realize that's going to take too long.
So they just pull out the whole machine and just put it in the trunk of the car and drive off.
I mean, it sounds more like a heist than a
security investigation, but I guess that's what you've got to do.
One thing we didn't actually talk about, how did they actually spot this?
I mean,
what were they seeing that
led the security team to believe that there had been the serious breach?
Well, they are a bit cagey about that because I've spoken to a lot of the teams.
And I think one of the things I think it's fair to say is that they had very good monitoring on their own systems to look for anomalous behavior and to see something unusual.
And that's more normal nowadays, but I think in those days, that was fairly unusual.
And Google, being a tech firm, had the ability to just spot something, but we don't know the exact trigger for it.
But they are going to be able to do the forensics to find out where it came from.
And that's partly going to come from this investigation that they're kind of moving very quickly on.
So they're taking the hard drives, they're leaving post-its saying security was here, we've taken your machine, please call this number, which again sounds like something you do if you're stealing them.
And if some poor Googler called up and said, why is my machine been taken?
They're not going to be told why.
They're just told
security has taken your machine.
And then the security team create a war room, which is first just one room, but then it's going to go to two rooms, three rooms, then a whole building for the investigation.
And they're going to actually have to build their own network, their own separate network in that building, stringing cables between the rooms, like being a startup all over again, one of them describes it, in order to be able to communicate without using the system.
which they know the hackers are in and which has been compromised.
And what's interesting as well is that the founders of Google are going to get involved and take a close interest.
Sergey Brin, as we mentioned, one of the founders, worried about surveillance, gets a desk to sit with those working on the investigation.
So they're building up a picture of what's happened to find the single point of entry used to get into the network, to get the foothold.
And eventually they find it and they see the attackers had looked for someone in Google's China team who had good access to the systems, but crucially was using the Microsoft Internet Explorer web browser.
I don't know if you remember that one.
Might be before your time.
No, I do remember that one.
I do remember that one, which I guess seems strange given that I think Google had Chrome by this time, right?
So they're using Chrome mainly internally now.
Chrome's about to be rolled out to the outside world, but internally they're already using Chrome and everyone is supposed to be using it.
So whoever the attacker was had to find someone who was using Internet Explorer, and then they have to work out who that person knew in the company and who they communicated with.
They then hijacked the personal account of a colleague of their target and then uses that personal account to send an instant chat message to the target, the one who's using Internet Explorer.
And the crucial thing, I guess, is that it's not an out-of-the-blue email or instant message like a scam one, but it's someone who you're regularly chatting with.
So you're exploiting that trust.
And of course, what's in the message is a link.
I feel like about 95% of personal cybersecurity advice boils down to don't click on links, essentially.
But the Chinese essentially, though, have found a vulnerability in Microsoft Explorer, I guess, in Internet Explorer, right?
Yeah, what's called a zero day.
And the jargon, a zero day means it's zero days since it's been discovered.
So normally, if something gets discovered, you then say how many days since it's been discovered, and then therefore patched.
Patched means the vulnerability is dealt with, is closed up.
So if you update your system, it won't be exploited.
And a zero day means the zero days since it's been found.
It's a kind of weird bit of jargon, but it basically means it's an undiscovered weakness in your system that the attackers can go in.
And then they're going to use that to infect that computer.
They can install a Trojan, which is a machine which kind of secretly can take control of your computer and you can then operate the computer remotely.
And it's stealthy so that the attackers' traffic back to their command and control systems look like ordinary web traffic.
And then they're going to use that foothold from that one computer to kind of explore the Google corporate network and to kind of move around it and be able to do what they want to do.
And I guess it's immediately clear then to the security team at Google that this is pretty high-level kind of cyber tradecraft, I guess you could say, because I would imagine at this point in time that most of the attacks they're dealing with are from individuals or groups who are kind of using known, I guess, exploits or weapons.
And in this case, they're being attacked with something they didn't even know existed, which would suggest it's very sophisticated and frankly, probably that you would need money to buy it or to invest to discover it, right?
So it's this is a pretty well-organized group.
Yeah, because zero days aren't cheap.
So either you're going to buy it and they are not cheap, or you've got a team of developers who are kind of able to look for them.
So yeah, immediately you know that it's big.
The war room's going to grow.
So over about six weeks, it's going to grow to about 250 to 300 people involved.
Google are calling in all their own internal experts.
Some are in holiday in New Zealand and they're kind of told to come back home to help with it.
They try to hire some people, outside experts, and they bring in experts from cybersecurity companies.
Particularly, there's someone from McAfee, which is a kind of well-known company called Dmitry Arperovich, who is then a youngish cyber expert, but goes on to be one of the leading figures in cybersecurity.
And I was talking to him just a couple of days ago, just remembering this hack, because it's a pivotal moment in cybersecurity history and actually in his his kind of history and he remembers analyzing some of the malicious code inside the systems and he sees a word in the malicious code and that word is aurora and aurora also happens to be the name of the battleship which helped start the russian revolution in 1917 the shot heard around the world so he decides dimitri decides this is going to be the name for this attack and that's going to stick so it's going to become known as aurora and google are kind of reaching out to all the experts it can who are experts on cyber espionage, trying to do it quietly.
Sergey Brin calls one of the leading experts, a guy called Ron Dibert, who runs Citizen Lab in Canada.
It's a group which helps protects activists from being spied on by states.
It's got a good book out called Chasing Shadows, where he remembers being called by Sergey Brin himself, you know, one of the Google founders, and told to keep it confidential.
Being told Google's been hacked, can you help?
And it's kind of interesting.
Ron in his book kind of reflects, well, his job is to protect activists, not companies.
And yes, it looks like, as we'll come to, maybe activists with a target, but whose job is it to protect Google?
Because Google, at one point, are also going to go to the FBI and going to be put in touch with the NSA.
But it becomes an interesting question at this time, which is, is it the government's job?
Is it Google's job?
And I think that, especially when you're being hacked by a very sophisticated adversary, which might be a nation state, this is going to be a kind of recurring question over this period, which is whose job is it to defend against foreign states if you're a big tech company.
Part of the structural problem, though, is that in the cyberspace, you can't be perfect, right?
You cannot be perfect on your defense.
And when you have a really well-capitalized, organized adversary, if they really want to find a way in, like, they're probably going to.
It's a hard question because, you know, I would say it's sort of Google's responsibility to defend themselves, but then after you've been...
sort of attacked or breached, then it becomes the responsibility of, you know, the NSA or the FBI to help determine who's responsible and to see if anything can be done about it.
But it's, it's messy, right?
It's, it seems like an area where the law and the bureaucracy hasn't caught up with the realities of the technology, even now.
Yeah, even now, let alone in 2010.
I mean, previously, the only people who've really been hacked in this way by foreign states would have been defense companies who work very closely with the government and the intelligence agencies anyway.
So they're going to kind of be communicating and talking about it.
But this is suddenly different when you've got a kind of consumer-facing company, effectively Google, getting hacked by a state.
I think that's one of the reasons why this is kind of such a big moment.
So the investigation is drawing all of these people in, but it's also got to be really secret.
And of course, the reason is the adversaries, the hackers, are in the system.
And so, you know, it's so interesting, isn't it?
They are living inside Google's network.
So if you send messages around Google's network saying, these machines are infected, or here's what we're going to do about it, they can see it.
It's like a mole hunt.
It's a mole hunt.
Yeah.
Knowing you're penetrated by your adversary.
And therefore, you, you know, like we've seen in some of the other episodes we've done, like that kind of Gordievsky story, you have to create a team which is cordoned off from the rest of the organization
who can do it without communicating more widely.
In case the moles, in this case, they're online, can see what you're doing.
So it's kind of a super secret investigation.
But crucially, they can see, because they're now up on the attackers, they can see what the hackers, the adversaries are doing inside Google Systems, and they can see what they're looking for.
I mean, they can see them using Google's internal search engine and what they're typing in it, what they're Googling within Google, and that's going to make clear it's certainly espionage.
And in this case, it's, I guess, to go back to the original kind of geopolitical point we raised on China, which is their intense interest in sort of internal security.
I mean, they're going after particular Gmail accounts and trying to obtain long-term access to them through sort of the underlying source code that govern the system and access to it and all of that.
Yeah, that's what's so interesting about it is it's definitely not criminal, they can see from this point, nor is it the type of hacking we sometimes associate with China where it's simply intellectual property theft where they're trying to steal the corporate secrets like the negotiating position or how you build your widgets so that you can copy it in China.
This is much more targeted and it is, yeah, it's about Gmail accounts.
But also, I think this is so interesting.
They are looking for the source code that Google uses to run its systems so that they can get long-term access to Gmails of their targets.
So some of the reports, and Google never comments on all the details, was that they were targeting the password system that controls access to devices known as Gaia.
You can see why that would be valuable.
They're looking for the signing certificates.
That's what verifies software as legitimate and as being provided by Google when it gets downloaded on someone's machine.
If you can steal signing certificates or fake them, then you can download onto people's machine in the long term.
This is all the kind of stuff which gives you long-term stealthy access.
to systems and your targets.
Now, Google think they got them early enough before they could establish that long-term access.
But they can also see when they start looking at it, they can see that the hackers have used other means.
So rather than not getting through Google's internal systems, but to get to some of their targets who have Gmail accounts, traditional phishing emails, malware on their computers, they can see that they found other ways of hijacking the targets of their computers.
And they've got into kind of dozens of US, China, and Europe-based Gmail users.
And basically, a common thread with all of these is that they are advocates of human rights in China.
According to the FT at the time, two accounts used by the dissident artist, Ai Weiwei, have been attacked, their contents read and copied.
Another person was a student at Stanford, and I spoke to that student years after the attack and they were a Tibetan activist at Stanford who'd been organizing protests in the US related to the 2008 Olympics in Beijing and they and their fellow activists have been getting these emails from each other which they know they hadn't sent.
And obviously, this is all part of that campaign to go for people who China sees as a threat to their stability at home, partly because they're advocating from abroad for human rights.
Does Google know at this point what entity in China might be responsible?
And I guess maybe said a little bit differently,
are they backing into the fact that it's the Chinese based on the targets at this point?
Or is there something else that's suggesting that this is coming from China?
Because I guess in theory, it could be anybody, but once you take a look at who they're looking at, you can kind of assume.
Yeah.
Yeah.
I mean, there's going to be some other technical indicators which point to China.
I think particularly to two colleges in China, which are relevant.
And it is interesting, isn't it?
Because it's a cyber espionage campaign, but it's not targeting CIA officers or government officials or your classic espionage targets, but dissidents.
And I mean, I think that just goes back to the kind of Chinese mindset and some of their first ever cyber attacks, first cyber attack to breach the UK Foreign Office, I think it's 2002 or so.
is linked to Tibetan activists.
And they're kind of going through the Foreign Office and going through links to do with the Tibetan conference.
So you can see right from the start, that is the prime focus, particularly in this period, of a lot of espionage which is coming out of China.
And that is so clear from the targets of this Google attack.
But there are some signs that they're looking a little bit more broadly too, because they're interested in, you know, for example, like the legal discovery portals where Google gets requests for surveillance data from kind of law enforcement and government, right?
So whatever group is doing this, the taskings that they're getting, the direction they're getting
is
a little bit beyond just the activists as well, right?
There's a broader interest in sort of mining what Google has, which makes sense.
As long as they've got access to the systems, why not take what they can?
I mean, that one about the legal discovery stuff is, I think, really interesting because this is the portal where inside Google, if the FBI or the Pfizer court, which authorizes kind of warrants for surveillance of spies and terrorists and others, if the court says effectively we want to wiretap someone and we want access to their Gmail, then that gets sent to Google and then Google have to provide access.
And they can see these are the reports which come out afterwards, which Google have never themselves kind of commented on, but that certain names have been queried by the hackers to see whether they are in that portal.
In other words, whether there are surveillance requests on them.
Now, those wouldn't be dissidents.
No, it would be like Chinese intelligence officers under
commercial cover or assets of Chinese intelligence in the U.S.
who might be under suspicion.
So that seems like a spot where maybe multiple Chinese services had peeked into this and sort of tasked the team that actually had access to pull different sorts of things based on what they wanted.
Because that seems like something the
Ministry of State Security, which is the more externally focused Chinese intelligence agency, would have great interest in.
If they knew that a cyber unit in the PLA, in the military, had this kind of access to Google.
Yeah.
If you've got some agents in the US, you can suddenly see whether they are under surveillance by the FBI, because you can see whether the FBI has asked for a warrant on them.
So it's a kind of smart counterintelligence game.
And actually, one of the things that they discovered during this investigation is it's not just Google that's been hacked, but other companies as well.
And it looks like Microsoft was hacked as well, also looking for this kind of information, but also lots of other companies.
Adobe gets hacked.
And it looks like, again, there, they're looking for source code, which might have allowed them, if they got that, to then find vulnerabilities in Adobe software, which is downloaded by lots of people again, kind of a way of getting long-term access to machines.
So in all, I mean, at least 20 companies have been hacked.
It's discovered as part of Aurora.
And it looks like Google are like at the tail end of this hacking operation.
And it's just they're the ones who kind of spotted it and discovered it.
And there's all these other companies, which as they pull the thread, they suddenly go, oh, they've been hacked too.
Some of the defense companies, software companies, hardware companies, seems to be a lot in that world, but they've all been hacked.
And they realize this is a big operation, which has been going on for years, led, it looks like, by China.
And I guess the question then is, what in the world is Google going to do about this now that they've got this team, hundreds of them, sitting in this sort of outbuilding on their own network watching watching the Chinese state muck around in Google systems?
What in the world do you do about it?
And maybe there, Gordon, it's a good spot to end.
And when we come back, we will answer that question and see exactly how Google takes it to the Chinese state.
One more thing, though, David, as a special bonus for members of the Declassified Club, we have a Googler who's going to come on, not just any Googler, but the president of Global Affairs for Alphabet, which is Google's renamed parent company, Kent Walker, who was part of Google at this time of Aurora and looks after the kind of external affairs for the company, and he's going to be on to talk about Aurora hackers, foreign states, China, all those exciting things.
So that's one for members of the club.
You can join at the restisclassified.com.
See you next time.
We'll see you next time.