Ep 2: Then They Came for Us

Google is threatening to pull out of China over computer attacks that's pried into the email accounts of human rights activists. Google also says it will stop censoring its search results in China.
The government bans politically and socially sensitive content. The change of heart had people leaving flowers at Google's Beijing headquarters.
And President Obama says he backs the right of Internet freedom in China. Another sign of support, bouquets of flowers appeared outside Google's headquarters in Beijing.
China's government has refused to comment specifically on the issue, other than to say it wants to foster a healthy Internet community according to their laws and regulations. Google, the search engine, making some major changes in China.
Google may pull out of the country completely because of China's censorship rules, the announcement triggering an outpouring of concern from internet users in China, supporters even placing flowers and notes at the company's locations in China. It's January of 2010.
Google has just come forward. They publish a blog post announcing they've, quote, detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China.
The uproar is immediate. But rather than trigger an avalanche of disclosures, things went the other way.
China is slamming Google for pulling out of the communist country. Google's moving operations to Hong Kong in a battle against Chinese censorship.
China called Google's move to Hong Kong totally wrong, says the search engine broke promises to play by the government's rules. Most of Google's China-based web search functions have moved to Hong Kong.
This tap has opened a new phase in the two- long battle over censorship. It's pitted the world's most powerful internet company against a government that tightly restricts the flow of information in the planet's most populous market.
Google versus China in a censorship fight. The internet giant makes a move and starts to pull out of China.
Felicia Taylor in New York with the details. So Felicia, so does Google's Chinese website still exist? Yeah, absolutely, Kira.
It does still exist, but it actually only redirects users to its site in Hong Kong, which is uncensored. Microsoft and Yahoo continue to chip away ever so slightly at Google's huge search market dominance.
And of course, Baidu might really be the only game in town in China if Google really does eventually pull out. Google pulled its search engine from China, handing billions in revenue to Google's main Chinese competitor, Baidu.
The result was a profound chilling effect. The lesson other Chinese hacking victims took from this was, keep quiet.
Don't offend the gatekeepers to the world's largest market. It would be years before another company came forward.
Google's is the breach that just gets worse the more you learn. This wasn't just some Chinese hackers gone rogue.
Months after Google went public, WikiLeaks dumped a U.S. embassy cable that described just how high up the chain of command this went.
Google's hack had been orchestrated by a senior member of China's Politburo, the equivalent of a U.S. cabinet member.
Apparently, he Googled himself, found the results to be unacceptably unflattering, and ordered a hit on the company. According to this cable, quote, government operatives, public security experts, and internet outlaws recruited by the Chinese government took it from there.
WikiLeaks has released new State Department cables to point the finger at the Chinese government for a series of cyber crimes. The messages showed U.S.
contacts accused Chinese officials of ordering hacking against Google. Well, diplomatic cables released by WikiLeaks opened a window into a controversial censorship battle in China.
According to the cables, China has been hacking into U.S. government and Google computers for nearly a decade, and the hacking of Google has allegedly been overseen by top officials in the Chinese government.
But there's still one element of the breach that Google and U.S. officials were cagey about.
Still are. And it wouldn't surface for years after the attack.
Three years after Google outed its own breach, Microsoft offered a starkly different post-mortem.

Google's hackers hadn't just gotten access to Chinese activists and dissidents' Gmails, they'd gotten access to a counterintelligence goldmine. I'm Nicole Perleroth, and this is To Catch a Thief.

You may recall that last episode, Heather Atkins, who ran point on Google's breach, mentioned that governments have, quote, front door kinds of ways to access its users' Gmail accounts. If they've got evidence that a Gmail user is engaged in a crime or some kind of national security threat, say they have reason to believe a Gmail user is actually a Chinese spy, they'll serve Google with court orders demanding it give the government access to their Gmail account.
Well, according to Microsoft, the Aurora hackers got access to the very system the U.S. government used to lawfully intercept Gmail accounts.
This is important, and it will come up again when we get to a very recent Chinese espionage campaign. But for now, what you need to know is this.
China has a keen interest in knowing who the U.S. government is targeting with these lawful intercept requests.
They'd especially want to know if any Chinese agents' covers had been blown. And they could get that intelligence one of three ways.
Option one, they could recruit an informant at the FBI or a U.S. intelligence agency.
Difficult, but not impossible. Option two, they could hack these agencies, equally difficult perhaps.
Or option three, they could hack into Google and watch the watchers. And that, according to Microsoft, is precisely what Aurora's hackers did.
None of this was mentioned in Google's blog post, by the way, and Google's leaders have never spoken publicly about it. Still, the fact Google went public at all was momentous.
But in the silence that followed, the hacks only escalated. That group behind Google's hack would go on to breach thousands more victims.
But sometimes these breaches were too big or too serious to keep quiet. One year after Google, the very same hackers came for the security world's keys to the kingdom.
They hacked a company called RSA and stole the keys to their core security product. RSA is multi-factor authentication devices, the ones used by millions of employees at companies all over the world to log into their corporate networks.

And so it's kind of like they broke into the locksmith's office first, got the skeleton key, and then broke into this company HQ.

How did they do that?

It's unclear. Neither RSA is giving a lot of details about how it got hacked, nor is Lockheed talking a lot.
But there's a lot of talk of what's called advanced persistent threat. With RSA's keys in hand, China's hackers were able to leapfrog from RSA into its customer networks at high-value targets like Lockheed Martin.
That same group, they're still hacking today, by the way. In 2023, they came for Microsoft.
Using a similar MO, they leapt from Microsoft into its customers' email accounts. But this time, it wasn't dissidents' emails they were after.
It was the emails of senior officials, including the U.S. ambassador to China, Nick Burns, and Commerce Secretary Gina Raimondo.
They downloaded 60,000 emails from the State Department alone. All told, they read through emails belonging to more than 500 people at 22 different organizations, all through this one hack of Microsoft.
But back to 2010. Aside from Google, few victims ever stepped forward.
Hacking was treated as a crime of shame. As a reporter at the New York Times, trying to get these companies to go on the record was a fool's errand.
Nobody would talk. That is, until they came for us.
In the fall of 2012, I got a tip that there were hackers inside the Times. Outside of our security team, almost no one at the paper was aware of the hack.
I was told, tell no one. Our security team had made the oh shit call.
They brought in Mandiant. Their analysts traced the malware back to a familiar foe.
A group Mandiant internally called APT1. It was a particularly brazen unit of the Chinese military based in Shanghai called Unit 61398.
Our immediate concern was sabotage. This was just two months ahead of the 2012 presidential elections.
Our security team was worried this might be an attempt to mess with our coverage. I embedded with our security engineers and watched the hacker we affectionately came to call the PLA summer intern.
Every day, they'd roll into our networks at 9 a.m. Shanghai time and roll out around 5.
They'd phished us. And then they'd started moving laterally, making their way through 53 of my colleagues' computers.
Out of an abundance of caution, our IT team confiscated every one of those machines. Confused colleagues would show up to work and find post-it notes where their computers had once been.
These notes just said, we have your computer, signed IT, without further explanation. Tracking these hackers, I got a sense for Heather's paranoia.
There were some nights I'd return home to my empty apartment and wonder if these Chinese hackers had followed me home. When my cable box started making strange sounds, I convinced myself hackers were inside.
But based on hackers' queries and other digital crumbs, these hackers weren't there for me. And they weren't there to shut us down.
At least not yet. They were after our sources.
And the sources for one reporter in particular. Right, right.
So David Barboza, and I'm a former New York Times correspondent. The very same month I got the first tip about the Chinese hackers in our systems, David had been putting the finishing touches on a massive, years-long investigation about the secret wealth of Chinese leaders and their families.
Clearly, the party was on to David's reporting, and they were after his sources. But the irony was that his investigation wasn't based on a deep throat.
It was based on reams of documents hiding in plain sight. And so I actually wanted to do this story looking into the secret wealth of Chinese leaders for four or five years, but I didn't think I could get the documentation.
But I had collected really in paper notes over years, many dinner discussions. I would go back home and I would write some notes.
I heard this about the prime minister's family. I heard this about another Politburo standing committee member.
I heard this about how they had this secret wealth through private companies and public companies.

So eventually, by 2011, I had talked to the editors and I said,

I'm going to try to figure out whether there are documents

and evidence to prove what I've been hearing about year after year

in private meetings with friends and with business people that there's this huge amount of secret wealth in their hands. I was a documents person.
I had written about Enron and others. I love documents and corporate records.
And I actually mapped out like everyone who had been on the Politburo or the Politburo Standing Committee for the last 20 years. and I ended up focusing on the prime minister at the time, Wen Jiabao, because I had so many notes about him.
My friends had met his wife, who was called the Diamond Queen. I had heard about his son, who was in private equity and worked with Goldman Sachs and others.
And to be honest, I was hoping to find two to three million dollars worth of hidden money. I never imagined that we would end up with two to three billion dollars.
And that was our conservative estimate. David was able to trace the flow of funds through a maze of shell companies to Wen Jiabao's relatives.
Inside China, this was precisely the kind of story that puts a reporter, their family, and their research assistants in danger. Any foreign correspondent, especially for an American outfit, would know that when you're in China, you are followed.
State security has assigned people to follow you, to interview your research assistants, to camp out sometimes in front of your building to see where you come and go, to take them to tea, to ask them, what is David reporting on? Where is he going? So the entire time I'm in China, I know I've been followed many times. Our car has been tracked from hotels.
When I check into hotels in China, I give them my passport, which says I'm a journalist, and therefore the next morning state security or public security is there, and they might follow me for the day. they are very concerned with what you're writing about and there's no concern greater than the

personal lives or the families of the leaders. If you're going to be dealing with anything about leaders and their families, you're going to be really a top target of the Chinese government.
We know not to make phone calls, not to meet people that give away what

we're working on. I didn't even want my New York Times colleagues in Beijing to know what I was working on, because if they mention it to someone that they meet, then this is a really, I knew by 2011, but especially

by 2012,

my life is in danger.

They could

easily... I knew by 2011, but especially by 2012, my life is in danger.
They could easily kick me out. But also, my wife is a Chinese citizen.
This is a super sensitive topic. And I remember calling one of our lawyers and telling him about this story.
And he said to me, your life is in danger before you publish. That is going to be the most dangerous time for you before you publish this article.
As David was finalizing his reporting, the Chinese Communist Party was changing hands. In 2012, the party named a new general secretary, Xi Jinping.

Less than six months later, Xi would become president. Xi had fought his way through the party ranks with impeccable discretion.
That meant no one could say for certain what type of leader he would be. But very soon, it became clear that Xi was determined to consolidate power.
Xi was haunted by the collapse of the Soviet Union. He referenced it in speech after speech and blamed the collapse on Gorbachev's democratic reforms and political liberalization.
For Xi, the lesson was this. For a party so large to stay in power, it would have to demand total obedience and control.
Under Xi, the CCP started clamping down on foreign press. In speeches, party leaders took to calling Western reporters, quote, hostile foreign forces.
Reporters started getting roughed up, even detained,

for covering something as seemingly innocuous as a Chinese film festival.

Human rights groups say that China's government is engaged

in the worst crackdown on dissidents in decades.

Activists, professors and journalists have all been detained this year alone.

Excuse me, you have no right to do this to us. So we're sitting here, they're surrounded by police.
The protest was a peaceful protest, so it's unclear why. In fact, they rushed on us like this.
Our own researchers in Beijing had been arrested before. Nearly a decade earlier, a Chinese Times researcher was arrested after the paper published a story about the imminent retirement of a senior party leader.
The information hadn't even come from the researcher, but he was sentenced to three years in prison regardless. What David was now doing, reporting out the secret wealth of China's prime minister, is as dangerous as it gets.
China's whole regime is predicated on a kind of grand bargain. So long as Chinese citizens see their lives materially improving, they're willing to stomach a certain level of authoritarianism from their leaders.
But corruption, that can throw a wrench in the whole arrangement. Corruption, or even just the appearance of it, was the thing China's leaders feared most, arguably even more than the five poisons.
Corruption was the surest way to unravel the party's social contract with its people. And what David was reporting, not just corporate corruption, but corruption at the highest levels of Chinese governance.
That was a powder keg, precisely the kind of story that could sow societal unrest. The kind of story the party would do anything to bury.
I know this is going to be the most dangerous thing I do, that my wife and myself are somewhat at risk. So my goal early on was no phone calling, very careful like strategy of rather than calling up people and saying, can I talk to you about the prime minister's wife who's in the diamond business? My strategy was, I think I'm going to do a story about the diamond business.
And I'm going to ask people about the diamond business and then say, by the way, who is this woman? So, you know, how do you round about, try to understand areas and then touch upon the thing without going directly for it? So I had a pretty complicated strategy going into it. But a key part of that was do not let people know what I'm doing.
And if you looked through my reporting of 2012, I think I wrote 50 or 60 stories outside of this project just to sort of make people think I'm doing my regular job. But over that same time period, David starts requesting documents from the Chinese government.
Documents about Wen's family members and their stakes in several private Chinese companies. So imagine like we're getting a set of documents in, it's coming from the Chinese government, it's stamped, it's coming in the mail.
We open it. It's in Chinese.
And we're like, wow, in these documents, here's the name of the prime minister's wife. Here's the name of the other relatives.
Here's their ID number. Here is their resume.
Is this a trick? Do they know that we're looking at this? In about May of 2012, we started to notice that maybe someone was on to what we were doing. And people started to question our driver, the New York Times driver for the Bureau in Shanghai, and some of my colleagues.
And so in July of 2012, I said at the Times, we're quite nervous.

We think they're on our trail.

We don't know for sure, we're quite nervous.

We think they're on our trail.

We don't know for sure, but they're asking questions.

I think I should come back and finish the article in New York.

David starts shoving sensitive documents in safes.

He shreds any he doesn't need.

Over the next few weeks and months, he carts suitcases chock full of documents from Shanghai to New York, then Tokyo, until he approaches something close to a final draft. I was going to ask, what's going to happen at the airport if anyone opens the suitcase? They would be like, wow, your Chinese is really good.
Because it was all in a lot of Chinese documents. That September, unbeknownst to David, the hacking begins.
But his anxieties were elsewhere. I just scrambled every day thinking, if I get anything wrong, it's the end of my career.
Believe it or not, the scariest thing for me about this story was not that the Chinese government was going to capture me or arrest me or kill me. The scariest thing was that the New York Times was going to capture me and kill me because I had gotten something wrong about it and that I would have no career.
So I had both the excitement of this great story, but also the fear that a lot can go wrong when you're dealing with this many documents in a foreign language with so many moving parts. Finally, David makes it to the home stretch.
He starts making calls. He calls the family members of China's prime minister and their business associates to walk them through everything he has.
We started to call the people who were involved with the family of the prime minister and get them on the phone, which was so important to, you know, it's great to do something based on documents, but you always need someone who's been involved with those documents to say, what do they mean? Do they mean what I think they mean? Is this true? And believe it or not, they talked to me. And they helped confirm some things.
Once those editors are confident the reporting's ironclad, they greenlight publication. But before the article goes live, David makes one final call to the powers that be.
The government was not happy, obviously, but we were going to publish. What was the most memorable part of that final conversation? The most memorable part was the editors told me we're going to publish that evening.
It was late in Tokyo. It was early in New York.
And I recall calling Chingang, calling the foreign minister, who was our window into China and the Chinese government. He'd already denounced me and the Times and said that we were damaging U.S.-China relations and we should not publish.
And I told him that we were going to publish within hours. And I remember him telling me, no, you're not.
And I thought, really? I think we are. And he kept saying, no, you're not.
And I said, I think we are. It's not my decision.
I think the editors are already decided they're going to publish. And I remember him saying, don't do it, David.
Like, don't, you're not, do not do this. And I kept saying to him, it's beyond my control.
We have everything we need and we're going to publish. I remember them telling me, this would have grave implications for your wife who's Chinese and for you in China, but also for the New York Times Chinese language site, which they had just started.
I might have been six months in operation. At this point, Chinese hackers were deep inside the times.
Back in San Francisco, I'd been tracking them, all for what I'd hoped would be a story detailing their assault on the paper. But my bosses were emphatic.
I couldn't publish anything until we'd found and sealed up every last Chinese backdoor. And I was still under strict orders not to tell anyone what I was working on.
They worried any internal chatter would tip off our Chinese interlopers. While I stayed in this holding pattern, David published his story on October 25th, 2012.
The CCP immediately blocked mainland access to the Times and shut down our new Chinese language site. Now China has dismissed as a smear a New York Times report which claims that Premier Wen Jiabao's family has become rich during his term in office.
The newspaper says its website has been blocked in China following publication of the story. It was only after David's story published that the two of us finally spoke.
I'd assumed someone else at the Times had let him in on the fact that Chinese hackers were crawling through his emails. Nope.
I remember dialing you, thinking, how am I going to do this? Because if they're inside his email, they're most certainly recording this phone call. So I remember calling you.
Yes. And I remember saying, David, hi, this is Nicole Perleroth.
We haven't met yet. I'm the cybersecurity reporter in San Francisco.
I think you know why I'm calling. And I, do you remember what you said? No.
You said, I have no idea why you're calling. No one had actually bothered to tell you, or perhaps were too afraid to tell you over phone or email that Chinese state-sponsored hackers were inside our computer systems, inside your inbox at that very moment, reading all of your emails and that they had been into our systems for several months.
I remember all through 2011, 2012, I had refused to use the New York Times, David Barbos at NYTimes.com or whatever, Barbos at NYTimes.com. I was using Gmail because I thought it was better and safer, which really annoyed the editors.
And I remember when we were finishing my article,

they said, will you stop using this Gmail

and put your stuff on the New York Times account,

which is exactly the account they hacked, right?

So when they hacked into my account,

they probably were like, why is this account so empty?

Why isn't this guy, where are his sources?

After David published, he got to work on a follow-up story. And I remember the editor saying, you cannot go back to China to pick up your things and pack until you publish the second article.
And it was almost comical to me that after we published the second article, the Times was like, okay,

you can go back to Shanghai. Like we have the articles.
You can go back. Great work.
And I went back and I didn't realize it, but they had arranged for a New York Times reporter, Andy Jacobs, to cover my arrival back in China and possibly my arrest. And so as I touched down in Shanghai from Tokyo, the Times had the expectation I very well could be arrested at the airport.
I went through customs. No one said anything.
My driver showed up. I was going back home, and I got a call from Andy Jacobs saying, did you arrive? And I said, I arrived.
He said, well, where are you? I said, I'm at Hongqiao Airport.

And he said, oh, I'm at Pudong Airport. He was at the wrong airport.
So I thought, great, Andy. So if I was arrested, you were supposed to cover my arrest, but there's no one there at the airport when I was actually cut off.
But I went back to China. Strangely, I was able to renew my visa.
I think the Chinese government basically did not want to make a rash, quick decision, and they let me renew. And then it became awkward to kick me out.
New York Times reporters were not allowed to enter China after the story, but those in China were not kicked out. And for three more years, I continued to report.
I did get lots of death threats. And at the end, you know, by 2015, Lynn and I, my wife, knew it is too dangerous.
They're basically having people call us saying they're hitmen and they're going to murder us and our children. So then it was clear, like, we have to leave.
Wow. But back to that fall of 2012 at the Times, it took four months to kick the PLA out of our systems.
We knew we couldn't hit publish on my story until we kicked out our hackers for good. By January of 2013, we were ready to move forward.
But some on the masthead were getting cold feet. With my story written, edited, and ready to go, I was summoned to a call.
One editor asked, why exactly are we publishing this story again? Another worried what our competitors at the Wall Street Journal and the Washington Post would say. These questions went above my pay grade, but I told them, I don't think they're going to say very much because there is a very high likelihood that they've been breached too.
I told them about the two types of companies. I explained that everyone was hiding these breaches and they made the case that as a news organization, we had a unique obligation to come forward.
That argument seemed to win the day, and to the Times' eternal credit, they decided to publish. After that, there was just one last call to make to China's government spokesman.
It was critical to give them a chance to respond. The party came back with a full-throated denial, but they'd added a dig.
Quote, to accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless. That one would come back to bite them later.
We hit publish. It's a story that's hit home.
The New York Times reporting on a cyber attack on its own computers. For the last four months, Chinese hackers have persistently attacked computers here at the New York Times.
The paper says the hackers stole reporters' passwords and hunted for files on an investigation into the wealth amassed by the family of a top Chinese leader. Almost immediately, those competitors we were worried about, they came forward too.

The Washington Post.

The Washington Post said it first discovered it was the victim of a sophisticated cyber attack back in 2011.

The Wall Street Journal.

China being accused of hacking into two prominent U.S. media companies, the Wall Street Journal, and the day after, the New York Times addressed this issue as well.
I suppose being accused of being hacking into it, it's like a badge of honor. Suddenly, it was like you weren't even a legitimate news organization if you hadn't been hacked by China.
Here's Kevin Mandia. The New York Times going live really made the difference.
Washington Post followed suit, Wall Street Journal, everybody, you know, kind of came out after that. And it became okay to say that you had been compromised by Chinese cyber espionage.
But 2004 to 2011, it really was just sort of a thing that didn't get announced. Once the New York Times came out, the floodgates opened.
That two types of companies refrain. Those who've been hacked by the Chinese and those who don't yet know they've been hacked by the Chinese, it suddenly felt a lot more real.
But China's surveillance apparatus, the one it honed on Uyghurs, the five poisons, the dissidents, journalists, it was only the means to achieving an end. Control, obedience, that was only step one.
What the party long sought was economic supremacy. To move China from the world's manufacturing closet to an innovator in its own right, a superpower.
To pull off that pivot, that would require the crown jewels of capitalism, intellectual property. And lest we forget, Aurora went far beyond emails.
With Google, it was a simpler case that there were dissidents using Gmail, activists, Tibetan activists and the like, and they wanted to get access to their email inboxes, potentially identify people in China that they could target. So a very dire situation, obviously, for those individuals, but not clear that there was sort of a broader national security or economic security issue.
But as we started looking at, even within Aurora, the victimology of that group, yes, there were defense contractors and clear national security use case there, but there were also straightforward technology companies. They were manufacturing companies that were part of that victimology.
And it was clear that there were no dissidents to target in those companies, that there was no state secrets, that it was just straightforward IP theft. Intellectual property theft, stealing research, trade secrets.
Sit with that for a second. These aren't market competitors we're talking about.
This is a world power, a nation state coming for private American companies. Because why spend decades and billions of dollars on your own R&D when you can just hack it.
That's next on To Catch a Thief. There were breaches against, I think, thousands of companies who had this valuable intellectual property that essentially went out the back door.
I've done my 10,000 hours of forensics on these systems, and it was alphabetical. I mean, I hate to say it, these guys were gaining access to machines and just going through the directory that started with A and then the directory that started with B.
And they didn't take by file. They just took the whole directory.
I used to call it the tank through the cornfield. You know, it was just mowing down files and taking as much as they could.
Follow to Catch a Thief to make sure you don't miss the next episode. And if you like what you hear, rate and review the show.
To Catch a Thief is produced by Rubrik in partnership with Pod People, with special thanks to Julia Lee. It was written and produced by me, Nicole Perleroth, and Rebecca Chasson.
Additional thanks to Hannah Petterson, Sam Gebauer, and Amy Machado.

Editing and sound design by Morgan Foos and Carter Wogan.