Ep 6: The Gunslingers

32m
During China’s pseudo-cyber-hiatus, the PRC’s hacking operations get a major overhaul. CCP leadership moves responsibility away from the sloppy, brazen hackers at the People’s Liberation Army to the far more stealthy, and strategic, Ministry of State Security. Gone are the “most polite” hackers in the digital world. Here to stay are the gunslingers – the elite of the elite in their field.

In Episode 6, host and former New York Times cybersecurity reporter, Nicole Perlroth lays out what it looked like as China’s hackers went underground… and what we missed in Eastern Europe as they did.

Listen and follow along

Transcript

For 18 months, a fragile calm descended on our digital borders. The CCP's hackers seemed to have just hung up their hats.
And for a time, that giant whooshing noise of American IP being sucked back to China just stopped. All was quiet on the Eastern Front.
Or so we thought. In retrospect, it appears the PRC carefully studied the Snowden documents,

got a look at the NSA signals intelligence, and asked, how do we get that?

Within months of the first leaks, Xi set up a standing cyber committee,

one of a handful of committees that operates at the highest levels of the Chinese Communist Party.

Looking back now, it seems he charged it with mirroring and innovating upon the way the U.S. conducts its cyber operations.
During its digital ceasefire, the PRC was actually busy consolidating disparate PLA hacking units under a new strategic support force, very similar to the Pentagon's own cyber command. It moved responsibility for the country's most sensitive operations away from the smash and grab PLA to the stealthier and far more strategic Ministry of State Security, or MSS.
Think of the MSS as a sort of combination of the FBI and NSA. It conducts espionage at home and abroad.
But unlike the NSA, the MSS outsourced its sensitive operations to elite Chinese hackers all over the country. It set up front companies that usually marketed themselves to cybersecurity firms.
But in reality, their only job was to carry out clandestine attacks for the MSS. In other cases, they paid or forcefully encouraged individual gunslingers, think top engineers at China's most successful tech companies or students at its universities to hack the world's most valuable targets.

This infusion of new blood, new talent

into the hacking pool

meant more than just a shift in the chain of command.

It meant a radical advance in skill and tactics.

I'm Nicole Perleroth,

and this is To Catch a Thief.

These hackers were no longer

blasting into the building

and announcing their presence.

Here's John Holquist,

Mandiant's chief analyst.

They are now far more focused

on their operational security, laying low, making it much more harder for us to attribute them.

Before 2015, attributing Chinese APTs by their attack style, whether phishing tactics or their malware, was a fairly straightforward practice.

Rarely would you see a Chinese APT deploy advanced techniques or custom code. They barely tried to hide their tracks.
By late 2016, it was a different story. Here's Kevin Mandia.
We used to be able to bucketize the forensics, Nicole, into very few groups out of China. And then all of a sudden we get an explosion.
That's really it, where the forensic evidence of each intrusion doesn't feel related to any other intrusion, or it's just different enough. They were like, ah, we're not quite sure if it's the same people.
There's just a dramatic increase in the volume of change, the pace of change on offense. The first sign the game had changed is when I started getting tips about a spate of Chinese intrusions at aviation and aerospace companies in late 2016.
Hackers weren't coming in the usual ways anymore. Instead of hacking their targets head on, they were slipping in through a side door.
They'd hacked the service providers that companies hire to manage their back-end IT systems. In industry parlance, these companies are known as MSPs, managed service providers.
Breach one, and you get entry to potentially thousands of their customers. Some of these MSPs had names you've never heard of, but others, like IBM, you would definitely know.
And the Chinese hackers doing this, they weren't one group working from one drab PLA building anymore. This was a coordinated surge by disparate elite hackers.
And unlike the PLA, these hackers weren't getting paid by the hour. They were getting paid by the outcome.
Incident responders started getting frantic calls from MSPs all over the world seeking help. And these weren't just in the US.
These were MSPs in Japan, South Korea, Thailand, all across Europe, Canada, the UK, South Africa, Australia. They had all been popped in a campaign that they'd go on to call Operation Cloudhopper.
Because hackers would hop from these MSPs into their customer networks at some of the world's leading pharmaceuticals, engineering, retail, manufacturing,

telecom, aerospace, and satellite technology makers. They took Rio Tinto's prospecting secrets and sensitive health research from Philips.
They took more than 100,000 detailed personnel records from the U.S. Navy.

They even managed to slip into NASA's Jet Propulsion Lab. With the first Trump administration's trade war as a backdrop, they were back to hacking trade secrets with a vengeance.
Here's Steve Stone, who lived and breathed this transition. The first love of mine in this was APT4.

Most of my early times were really against APT4, which is largely publicly attributed

to the People's Liberation Army.

And they were exactly that.

They were the checklist group, which I actually loved.

They were going off a checklist.

They did not seem very technically advanced.

And once we kind of learned the checklist, you could predict where their errors were going to be because it was an error in the checklist. They would hit the same glitches over and over again.
And we were able to really understand that. And so I was very used to these PLA groups and I thought I had this all kind of worked out.
And then we saw a very specific victim go through an initial compromise in a time span that I had never seen before. They moved through a layered network defense with some really novel technical countermeasures with virtually no problem.
So right off the bat, we're like, they're problem-solving on the fly, and that's incredibly impressive. And then the other thing that really impressed me was they were really able to go after only what they needed to.
They were only highly skilled when they absolutely needed to. And that ability to make that decision was the first really, I hate to say red flag, but the first big warning, like the game has changed.
These new hackers were meticulous digital ninjas working with a laser-like precision. They took great pains to cover their tracks, encrypting their traffic, deleting log files and other digital crumbs, and burrowing in so deeply that even when victims wiped and rebooted their machines, these Chinese hackers found a way to remain.
But occasionally they just just couldn't help themselves. At one point, they registered a hacking domain as NSAmefound.com.
They were messing with us. Years later, we'd learned just how little they cared about getting caught.
In 2024, someone, we still don't even know who, doxed a mid-level Chinese hacker-for-hire contract shop called iSoon. Among the leaks were transcripts of hackers' group chats.
They'd been messaging about who had been named in a U.S. indictment of APT-41, their hacking unit.
But they weren't concerned. They were celebrating.
The chats showed hackers promising to buy their colleagues 41 shots at the next rager. But for the most part, these MSS hackers laid low and were light years ahead of their predecessors.
When I'd interview the people charged with responding to these attacks, I couldn't help but notice that they were impressed. It wasn't that they were always amazing.
It's that they could be very low level and then a split second go all the way to the top of a technology stack and then immediately scale back down. They knew they did not want to reveal their wizardry and they knew they had it.
And so they were able to really pay attention to that. And that to me was the thing that was most impressive versus like a particular technical exploit.
It was the ability to know we're going to do magic right here and we're going to limit how much magic we do because we don't want to reveal that compared to like the PLA units, which were like, we're just going to do what we do. And if you see us doing it, we kind of don't care because we're going to be here anyway.

And that made the gunslingers incredibly hard to get out because we never knew what they were capable of.

We never really fully had confidence in their skill set because we don't think we ever really got to see it.

Which brings us to zero days.

You know, cyber exploits that have no patch. That's what a zero day is.
There's just no way to stop those attacks from working. A word on zero days.
In essence, zero days are holes in the foundation of a system. Holes developer myths.
For simplicity's sake here, let's just say I'm a hacker. I find a programming mistake in your iPhone's iOS software.
It could be as simple as a misplaced zero or a missing hyphen, just something that Apple's programmers missed. That's a zero day.
It's called that because once it's found, programmers have had zero days to fix it. Now, let's say I'm a hacker who can write a program to actually exploit that zero day, to do things like read your text messages, track your location, spy on your phone calls.
That's a zero day exploit. Really, it's an invisible ankle bracelet.
So you can see the immense value a single zero day exploit would have for a spy agency. And indeed, there is an entire classified gray market for zero days, where hackers routinely sell their zero-day exploits to governments or brokers for hundreds of thousands, sometimes millions of dollars.
The going rate for that zero-day exploit I just described in your iPhone, right now, at this very minute, a Saudi broker's offering three and a half million dollars for it. And if it's really good, so good the target wouldn't have to so much as click to get infected, that same broker will pay you nine million dollars.
And if this market sounds titillating, I get it. I spent seven years investigating the zero-day market for my book, This Is How They Tell Me The World Ends.
You should read it. But for now, what you need to know is that before 2015, it was incredibly rare that you would find a zero-day in a Chinese APT attack.
Google's Aurora hackers used a Microsoft zero day to break in, but that was an exception. Finding and exploiting zero days is incredibly difficult.
It can take months, years even, to hone a flawless zero day. And even if you can manage that, rarely would you actually use it.
There's a saying in the intelligence world, you use it, you lose it. Nobody is willing to risk burning a multi-million dollar zero day when they can just as easily break in through a rudimentary phishing attack.
In fact, when my book came out in 2021, I got a ton of flack from industry critics who said, Nicole, why'd you focus so heavily on the zero-day market when the vast majority of these attacks start with phishing? And to be fair, they had a good point. But even I was surprised when that same year, a record number of zero days cropped up.
The most serious of them in Chinese cyber attacks. We had 32 zero days in 2019 exploded in the wild.
To me, that was a world record. I'm like, we've been tracking this since the 90s.
32 in a year was mind-blowing. And then all of a sudden we hit 81 in 21.
And I'm like, wow, the world's different now. And this is seven times what you'd see in 2010.
You know, I mean, it's just, that tells you the art of the game right now that people are finding exploitable code at rates higher than ever before and using it in a while because our numbers, Nicole, are what we assume if we see it, we see it. We're responding to a breach.
There is the zero day. And we're seeing that even into today.
More zero days than ever before makes no sense to me when code was way less secure 30 years ago, 20 years ago, and 10 years ago than it is today. So we're building the most secure code we've ever built before.
And yet there's more zero days than ever before. We used to, and this sounds very bad now, but we used to actually like, you would know all the O days used by Chinese groups.
There just weren't that many. A really smart analyst could tell you all of And now, like, I couldn't tell you the ones they've used this month.
So there's clearly been a sea change here. But tell me what it looked like from your vantage point.
There's a whole different clip. So it's not like a group figured it out or the military didn't.
That probably only happened because there's some kind of real direction. There's a real, your use of sea change is perfect.
I think there's a real sea change. And in China, that only happens from the top down.
The top down. Really, in retrospect, what the CCP took from Washington's threats and the naming and shaming campaign wasn't to stop hacking, but to move it underground.
And Zero Days offered the perfect cover. When nobody knows about the existence of your secret tunnel, you can move in and out as you please.
And part of the reason the CCP was suddenly so willing to burn so many Zero Days is that they had plenty of them to burn. And how they acquired their stash is just another window into the advantage authoritarians have in the digital realm.
You see, here in the West, intelligence agencies have to develop zero days in-house or pay six, seven figures to procure them from hackers on the gray market. That's not the case in China, where the CCP can simply force hackers to turn them over for free.
And that's exactly what happened. Beijing started hoarding its own zero days, eliminating any above or below ground market for them in China.
Authorities abruptly shuttered China's best-known platform for reporting zero days, they arrested its founder, and they started forcing China's hackers to turn over their best fines. Here's Jim Lewis, longtime liaison on all things China.
Chinese hackers complained to me. It's like like we could make a lot of money selling this stuff, and instead we have to give it to the government.
And they're invited to drink tea at the local cop shop. Come down and drink tea.
And it's suggested to them that it's their patriotic duty to give Uncle Xi their hacking tools for free. Or even to work for Uncle Xi.
But part of it goes back to this Chinese paranoia. The Chinese hacked the West.
They also hacked each other. And so if you went to a big Chinese company, they would complain about being hacked by the Chinese.
And there's a desire to get that under control. There's a desire to get control of what the Chinese would call the information space.
And so putting the hackers on a leash was part of a larger effort to get control of the information space. And just so there was no ambiguity here, the CCP formalized this practice into law, banning the unauthorized disclosure of vulnerabilities.
These laws forced Chinese citizens to give the state right of first refusal on any zero day they found. Over the previous five years, I'd watched Chinese hacking teams dominate the big annual hacking competitions.
But after these laws passed, they stopped showing up on states' orders. If they wanted to attend an international hacking competition, now they had to apply for a waiver with the Chinese police.
But they were welcome to compete at hacking competitions inside China, albeit with a new sponsor, the Ministry of State Security. China's hackers had been forced into conscription,

and penalties for non-compliance were severe. I'm kicking us off with Alibaba on deck.
Now, Baba actually dropping today as Reuters reports the tech giant is cutting a third of its deals team as Chinese lawmakers step up their scrutiny. That's according to Reuters.
The stock, as you can see, they're down about 5%. In December 2021, a Chinese security engineer at Alibaba went rogue.
He disclosed a serious zero day that would have proved mighty useful to Chinese spies. What that Alibaba engineer found was a zero day in an open open-source library called Log4J.
Here's Jen Easterly, formerly the director of the U.S. Cyber Defense Agency, CISA.
The Log4J vulnerability is the most serious vulnerability that I've seen in my decades-long career. Everyone should assume that they are exposed and vulnerable.
Now, this vulnerability became public last week when everyone found out about it, but it actually dates back to 2013 when this flaw was introduced into open-source software that was then copied in millions of other places and has now sort of gone viral in a software sense. Log4j was used in millions of applications.
In terms of severity, this was a 10 out of 10. Hair on fire, drop everything and find a patch situation.
Using this zero day, you could take full remote control of potentially millions of systems around the world. For cyber criminals, that meant you could have used it to steal banking credentials or deployed ransomware on God knows how many systems.
For spies, it would have made the digital world their oyster. In cybersecurity circles, what that Alibaba engineer did was heroic, but for Beijing, it was a slap in the face.
And they made his employer pay a steep price, suspending Alibaba's government contracts for six months, just long enough to send its stock into free fall and send a clear message to every Chinese hacker and their employer, play by state rules or prepare to go through some things. By 2019, we caught glimpses of where all these zero days were going.
That year, security researchers discovered a Chinese hacking operation that was as slick as any I'd seen. Just as a lion waits for its prey to come to water, Chinese hackers had pulled off what's known as a watering hole attack.
They'd infected a slew of Uyghur websites with a string of zero-day exploits. Anyone who navigated to these websites would have been immediately infected with spyware that turned their iPhone or Android phone into a CCP portal.
These were zero days that on the gray market would have easily fetched $10 million. But Beijing was now getting them for free.
And not long after they turned up on Uyghur phones, researchers discovered a parallel effort hacking Tibetans and then Chinese activists, the five poisons. But inevitably, they turned up here against us.
China's zero days started popping up in our most widely used technology. At one point, researchers uncovered a string of zero days in a Microsoft exchange email system used by everyone from U.S.
military contractors, state and local governments, to small businesses. These zero days allowed Chinese hackers to invisibly read emails.
Once those zero days were discovered, Microsoft raced to put out a patch. But this time, China's hackers didn't give up.
They ratcheted their attack up several notches. Ten of its elite hacking divisions started firing the zero days and backdoors at thousands.
We're talking tens, hundreds of thousands of systems. That let them, and really anyone who now knew how to scan for that zero day and backdoor, come back at any time and do whatever they pleased.
I remember calling you the day that was discovered and saying my usual help. And you said that they were exploiting these systems within an aggression that you hadn't seen before.
And well, tell us what it looked like and why it was the most aggressive operation you'd seen from China. One, it was sort of a direct path to the crown jewels for a lot of organizations.
So if they use this, right, they don't necessarily have to make their way through the network and do a lot of other activity because they can go straight in to where you are, you know, storing a lot of your intellectual property and intelligence-related information, right? Or this stuff, it was sort of like a beeline to the heart of the problem. But the other thing that was interesting is that that there was a patch issued.
And what we saw was a sudden global spray of the zero day across many, many targets, as many targets as they could get their hands on. And they were essentially leaving a backdoor, like a foothold in these systems so that they could revisit when they had enough time.
And that was one of the most reckless and globally significant attacks I've ever seen because you essentially left a door open on millions of systems. The other interesting thing about that zero day is from a criminal perspective, it had tremendous criminal viability because you can leverage access to the exchange servers to deploy ransomware.
You can just steal a bunch of valuable stuff and extort people for that. So again, you've got a beeline to highly valuable information that you can monetize.
And so this was a sudden crisis, not just from the original users, but any potential follow-on users. And we had to essentially make sure that people were moving really quickly on patching and raise that alarm.
I've never even seen the alarm raised like that in any other situation. I can't think of.
That was John Hultquist. Now, it's easy to get lost in the technicality here, but really, it's hard to overstate the magnitude of this attack.
In the real world, it would be like spies or mercenaries robbing thousands of American homes and dousing them with fuel on the way out so that any digital arsonist with a match could come back at any time and burn it all down. The situation was so dire that the Justice Department did something it had never done before, authorizing one of the broadest FBI search warrants on record.

The warrant gave the FBI the ability to covertly go into any infected exchange system,

patch it, and remove China's backdoor.

Now, it's important to note here that this was a tad controversial,

and there were many who screamed government overreach.

But given the severity of China's attack, the potential for mass disruption,

most privacy activists seemed to give the government a pass.

And that attack, I'm sorry to say, was just the opening salvo.

Here's Kevin Mandia. China's brought the A game and they've changed.
And usually when you see these kind of shift changes on offense, oh, their doctrine's changing. Something's changing over there.
All I know is somebody made a decision to up them a notch. And we have a gradual incrementalism

of aggression on

offense out of China over the last few years.

And it's going up every

year. They're no longer

the most polite player

in cyber. Their techniques

are far more innovative and

improved than even three years ago.

China is the

winner in innovation,

and you see what happens when they win. You get 75 zero days in a year.

So far, we've trained our eye across the Pacific, but as all this was going on,

there was arguably a far more sinister disturbance in the digital world order.

One that experts in industry and classified government skiffs were watching with horror. Officials are investigating if hackers carried out a nightmare scenario taking down a power grid.
The CIA and security firms are investigating whether Russia is behind the cyber attack on a power grid in Ukraine. Russian hackers are stepping up attacks

on behalf of the Putin regime.

When digital historians look back,

there's no doubt that December 23rd, 2015

will go down as the day everything changed.

That day, just ahead of Christmas Eve,

Russian hackers crossed the digital Rubicon, shutting off power to Western Ukraine. And for good measure, they shut down emergency phone lines too.
The power wasn't out long in Ukraine, less than six hours. But it was just long enough to send a message.
We can shut you down at any time of our choosing. They followed it up one year later with a second cyber attack on Ukraine's power grid.
Only this time, they shut off power to the nation's heart, Kiev, in a display that made the White House wint. Until that point, covering these attacks was like watching an international game of chicken.
With every new attack, you watch spy agencies pushing, pushing, testing for that red line that never came. But Russia's twin attacks on Ukraine's grid changed the whole game.
This careful gentleman's game of spy versus spy had come to an abrupt end. We were no longer in the gray zone.
We'd entered the red zone. Looking back on Russia's twin attacks on Ukraine's grid and some of the attacks that followed, it's a little like reading the tea leaves.
Maybe if we'd spent more time connecting the dots, we could have foreseen Putin's 2022 military invasion earlier. Certainly in Beijing, officials watched Russia's cyber attacks and the absence of any serious international response with keen interest.
Here's Jen Easterly again, who led the U.S. Cyber Defense Agency, CISA, under Biden.
And to your point on Ukraine, I would just comment that I think we all need to recognize that the defense of Ukraine is the deterrence of China.

China is watching very closely whether we end up just giving up on Ukraine

because it sends a message to what our political will would be

in the event of an invasion or a blockade of Taiwan.

But China had already been laying the blueprints for their own attack. Most people just missed it.
But I think if you go to what the Chinese themselves have said, what is in their doctrine, it's pretty clear that the strategy is about holding U.S. critical infrastructure at risk in order to deter our ability to marshal military might and citizen will.
So this is really about inducing societal panic and chaos. And that would be the result of water systems being polluted or inaccessible, transportation lines being derailed, communication systems being severed, pipelines exploding.
If they're willing to sink U.S. aircraft carriers, then they're going to be willing to turn off U.S.
energy supplies and pipelines and refineries and go after factories. So in my estimation, I think much of what we may see in a Taiwan environment from the PRC is inside Taiwan, very much a intel gathering, maybe disruption of services to support sort of military activity along with disinformation and misinformation and all of those avenues.
I think the thing that is fundamentally different here that we are most concerned about is the implications for the U.S. homeland.
And that I think is something that we didn't see, we were certainly concerned about in Russia, Ukraine. You know, since I had the Shields Up initiative, we were doing all kinds of messaging from the White House while I was there to make sure that everyone was taking the potential risk seriously.
I think similarly, that's where we're at today in thinking about the PRC issue with the one difference, which is we know that they're on critical infrastructure today we see it in the transportation sector we see it in the water sector we see it in the communication sector we see it in the energy sector and the worst day is in everything everywhere all at once scenario that all of a sudden you know some other factor or or a thing happened in the environment. That all of a sudden, you know, some other factor or thing happened in the environment.
All of a sudden we see disruption in multiple sectors simultaneously with services to the American public going out. The everything, everywhere, all at once cyber attack.
That's in two weeks on the next To Catch a Thief. Follow To Catch a Thief to make sure you don't miss the next episode.
And if you like what you hear, rate and review the show. To Catch a Thief is produced by Rubrik in partnership with Pod People with special thanks to Julia Lee.
It was written and produced by me, Nicole Perleroth,

and Rebecca Chasson.

Additional thanks to Hannah Pedersen,

Sam Gebauer, and Amy Machado.