Cold Open
The following presentation is not suitable for young children. Listener discretion is advised…
A quick note before we get started. This is part one of a four-part series, which charts how China built one of the world’s most advanced cyberwarfare programs. You don’t necessarily have to listen to these episodes in order, but you’ll get more out of it if you do. And now…on with the show.
In 2003, Universal Studios Orlando hosted more than six million visitors, enjoying rides based on properties like Jaws, Back to the Future, E.T., and of course Fear Factor.
SFX: roller coaster
Or SFX from each of those examples?
But if you left the park and took a short walk down the street, you’d find a cluster of office buildings and factories that are collectively called Missiles and Fire Control Orlando.
Like its name suggests, MFC Orlando is one of more than 10 facilities where the defense contractor Lockheed Martin tests missiles and bombs for the United States military.
So, if you’ve ever wondered who makes it possible for a stealth bomber to drop a laser-guided bomb down a (wrongfully) suspected terrorist’s chimney, it’s the fine folks at Lockheed Martin.
One day, in the summer of 2003, the computers at MFC Orlando suddenly started shutting down. Worse, they couldn’t be booted back on.
All over the complex hundreds of MFC Orlando’s scientists, engineers, and administrators collectively cursed. Their research, all of it proprietary and worth billions of dollars, was inaccessible.
Obviously, that alone was a huge problem. But the fact that so many computers were affected in the same way pointed to an even more dire possibility: MFC Orlando had been hacked.
So, MFC Orlando’s president got on the phone with MFC headquarters in Dallas. They passed it up the chain to Lockheed headquarters in Bethesda. There, it was decided that the IT team from Sandia National Laboratories would be sent to put out the fire.
Sandia is yet another tentacle of the behemoth that is Lockheed Martin. Located in Albuquerque, New Mexico, Sandia does nuclear weapons research. It also had one of the best IT departments in the entire corporation. So, a team of cybersecurity analysts from Sandia were on the next flight to Orlando.
One of them was Shawn Carpenter. He was 35 and still trim from his six years of service in the US Navy. These days, he was one of the many mid-level employees who kept Sandia safe from cyberattacks.
The corporate life suited him fine—after all, Sandia was where he’d met his wife Jennifer Jacobs. She was a nuclear scientist and army reservist. At Sandia, she specialized in nuclear counterproliferation, as well as port and border security issues.
But even though Shawn had taken to the corporate life, at heart he was always a service member. He’d taken a vow to protect his country, and he took that seriously.
When Shawn and his colleagues arrived in Orlando, they quickly got to the bottom of the shutdowns. It was indeed a hack. Someone had penetrated MFC Orlando’s system and installed rootkits in its hard drives. This gave the hacker a direct line to the MFC Orlando’s entire system, which they could use to siphon off files. Carpenter’s team found several compressed and encrypted files “awaiting exfiltration.”
Shawn and his team expertly removed the rootkits and plugged the breach. Next, Shawn wanted to hunt down the bastards who did it.
Back in Albuquerque, Shawn met with his supervisor and Sandia’s information security manager.
This wasn’t some gang of criminals or bored teens. These were professionals, likely state actors. I think it might be China, and I think we’re not the only ones being hit. We need to hack them back.
His supervisor and the information security manager shared a look.
Shawn, hacking back is illegal, the manager said. And even if you did hack back, it would likely lead to more hacks against Sandia.
But you’re always telling us to “think like world-class hackers.”
Shawn, bottom line, we don’t care about any of this. We only care about Sandia computers.
Shawn was pissed.
That night, Shawn discussed the problem with Jennifer over dinner. He knew that his superiors were being naïve. The attacks would keep coming regardless of what they did. And it was likely others were being hacked as well.
Shawn had a choice. Should he obey his company? Or should he investigate for the good of the country—even though he had no official authority to do so?
You have to keep looking into this, Jennifer said. It’s what we’d want someone else to do.
His mind was made up.
After dinner, Shawn went to bed early and set his alarm for 2 a.m. When it rang, he got up and went to his home office, where he had six computer monitors set up. He poured himself a cup of coffee, popped a piece of Nicorette gum, and began the hunt for the hackers. At dawn, he would get up and go to work at Sandia. He wouldn’t be telling them about his side project.
Shawn didn’t know it, but his search would take him to the highest levels of state-sponsored cyberwarfare—and nearly cost him everything.
On this episode: defense contractors, military secrets, hacker vigilantes, and the origins of China’s cyberwarfare program. I’m Keith Korneluk and you’re listening to Modem Mischief.
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of Titan Rain.
Act One
Three, two, one, fire!
SFX: Missile launch.
The MTCR class missile blasted off from the transporter erector launcher, which was parked in a field on the Leping military base in China’s southeastern Jiangxi province.
The short-range, surface to surface missile was capable of delivering a nuclear warhead, but today it was unarmed.
Through binoculars, Colonel Wang Xiangsui watched the beige and black missile blast into the summer sky.
The colonel was short and slim with thinning hair, and looked more like a college professor than a soldier. As the missile disappeared from view, Wang put down his binoculars and frowned.
This was the sixth successful missile test in six days. He should have felt proud.
But what was the point?
The missiles were aimed at a series of uninhabited volcanic islands about 85 miles north of Taiwan. So far, all but one had hit their targets.
For those not up on their Chinese history, Taiwan is an independent island nation off the coast of China, and an ally of the US.
China, on the other hand, doesn’t consider Taiwan to be an independent country and refers to it as “The rogue province.”
In a few days, Taiwan would be holding its 1995 presidential election. The leading candidate, President Lee Teng-hui, had just made a speech at his alma mater, Cornell University. In it, he’d repeatedly referred to Taiwan as a republic. It was a provocation.
In response, China sent 150,000 members of the People’s Liberation Army to the coast. It was a show of force, meant to threaten Taiwan into submission.
Of course, China denied it, claiming that all countries have the right to hold military exercises.
Colonel Wang was one of those 150,000 soldiers. He’d made a career out of studying and improving China’s missile technology.
These missiles were the best in China’s arsenal. But Colonel Wang also knew that a few hundred miles away, in the East China Sea, an American aircraft carrier group was observing their tests. And another aircraft carrier group was on its way from the Persian Gulf.
Colonel Wang was well aware of how devastating just one carrier group could be. With its hundreds of ships and planes, not to mention radar and satellite support, it could see everything Wang and his comrades were doing. And if Colonel Wang got the order to actually launch his missiles at Taiwan, the carriers could easily shoot them down.
This was America’s show of force. So, here he was, trying to intimidate the Taiwanese, while Taiwan’s much more powerful ally was watching.
It all seemed so futile.
But these missile tests and military exercises in July 1995 would prove fateful for China’s military. All because Colonel Wang made a friend.
His friend’s name was Colonel Qiao Liang. He was also an air force officer.
They met at some point during the exercises.
Like Colonel Wang, Colonel Qiao was in his 40s, but he was taller and had a more muscular build. He was a political officer, meaning he was assigned to Chinese military units to monitor the politics of their soldiers, and make sure they stayed obedient to the Chinese Communist Party.
Qiao spent his spare time writing military thrillers, cheap airport paperbacks in which the Chinese military triumphs over its western aggressors. Think Chinese Tom Clancy.
Like Colonel Wang, Colonel Qiao was skeptical about this show of force. Both men knew that traditional military strategies wouldn’t work against the technologically superior United States. They knew China’s approach to warfare had to change.
The colonels kept in touch. Over the next four years, Wang and Qiao would analyze America’s weaknesses and brainstorm ways to exploit them. These discussions became the basis of a book that would be titled Unrestricted Warfare.
In it, the colonels began with a frank analysis of China’s technological capabilities. In the late 1990s, China lagged far behind the US and other western nations—in manufacturing, in military tech, in Internet infrastructure. You name it, China was at a disadvantage.
China needed to catch up and catch up quickly. Easier said than done. China’s Communist Party only began to allow its citizens to start their own businesses in 1978. By that point, Americans like Steve Jobs and Bill Gates were already inventing the first personal computers.
In their book, Colonels Wang and Qiao argued that China should use any means necessary to catch and surpass the US.
Their book discussed a wide variety of ways China could undermine the world’s number one superpower, none of which included direct military confrontation. Trade wars. Legal battles. Industrial espionage, and more.
One section speculated that an extremist terrorist—like Osama bin Laden—could destabilize the US with an attack. Like, say, causing a massive explosion at the World Trade Center.
That’s right, the colonels essentially predicted 9/11 two years before it happened. When the book would be published in America in 2003, it would have a picture of the World Trade Center engulfed in flames, along with the inflammatory title: Unrestricted Warfare: China’s Master Plan to Destroy America.
One of the most important sections of their book concerned cyberwarfare. In it, Colonel Wang and Colonel Qiao argued that China should carry out an extensive hacking campaign against America and its allies.
These hackers wouldn’t be actively hostile. They wouldn’t try to sabotage industrial systems or destroy computers. They would infiltrate American computer systems and steal as much classified research data as possible. The Chinese military and corporate sector could then incorporate this data into their own research programs.
The colonels insisted that China should use every available hacker to carry out these ends—soldier hackers trained by the military, civilian hackers with patriotic sensibilities, or even criminal hackers only interested in cash.
In February 1999, the People’s Liberation Army published the Colonels’ book, under the title Unrestricted Warfare. It was an instant hit among China’s military intelligentsia. As a result, the People’s Liberation Army began devoting more and more resources to computer hacking.
The United States was almost immediately aware of these developments. American military intelligence got a hold of Unrestricted Warfare shortly after it was published and translated it into English.
But while it was circulated among American military scholars, the news that Chinese hackers were coming for America’s networks didn’t filter down to mid-level military officers—or their corporate counterparts, like Shawn Carpenter.
Meanwhile, China proceeded to beef up its cyberwarfare program. It converted old reconnaissance units into hacking squads. Or, it founded new hacking units entirely. Altogether, it invested in at least 20 hacking groups.
One of these was Unit 61398.
Before we launch into the story of Unit 61398, it’s important to note that we can’t really tell the story fully. Few firsthand accounts of life inside Unit 61398 have surfaced in western media. All we do have is snapshots, stories of a handful of individual members—maybe five to ten people out of thousands.
But here’s what we do know. Unit 61398 is an office within the Second Bureau of the People’s Liberation Army’s General Staff Department. It’s traditionally played a logistical support role for China’s active military.
Some time after the publication of Unrestricted Warfare in 1999, the People’s Liberation Army purchased a 12-story office building in Shanghai, with over 130,000 square feet of space. Enough to house about 2,000 people.
This would be the new home of Unit 61398.
From that nondescript 12-story office building in Shanghai, Unit 61388 would launch an elaborate and well-funded cyber-espionage campaign against the West.
Unit 61398’s overall mission was simple: break into as many western computer systems as possible, and steal all the proprietary information they could.
Some members of Unit 61398 worked directly with the People’s Liberation Army to steal military technology. Others worked with China’s industry to steal trade secrets. That’s right, China’s emerging industry could hire Unit 61398 to hack its rivals—an unprecedented level of cooperation between state hackers and the private sector.
Over the next four years, Unit 61398 would grow to include thousands of military officers, hackers, and support staff.
The military officers were career loyalists. Sun Kailiang was middle-aged and a bureaucrat. Gu Chunhui was a younger officer, one of the first generation of PLA officers who had grown up with computers. He understood their potential.
The hackers themselves came from all different walks of life. Some were lifelong soldiers trained to use computers. Others were young hackers who volunteered to work with the military—and we’ll cover China’s civilian hacker community in Part 2 of our Chinese hacking series. Still others were young hackers who found themselves on the wrong side of the law—and we’ll cover them in Part 3.
One was Wang Dong. He was in his early 20’s, and had been a child prodigy at computer programming. He was no soldier, but he hacked for the PLA all the same. Online, he went by the handle UglyGorilla. He was one of the unit’s most skilled hackers. He broke into servers all around the world, and left pun-laden messages for system admins to find—all signed with the initials “UG.”
Another was 30-year-old Wen Xinyu. He went by the name WinXYHappy. He liked to read Western philosophy, play Angry Birds on his iPad, and listen to Beyond, a rock band from Hong Kong.
Another was Huang Zhenyu, who joined the team in 2006. He specialized in industrial industry, especially the iron and steel industries.
Unit 61398 became operational in early 2003. They mostly used simple Trojan Horse attacks to gain access to computer networks—they’d send seemingly innocent emails laden with malicious code and hope that one of them would be opened. This was the early 2000’s after all—people were way less savvy about internet security.
With enough patience, these attacks often worked.
This was how Unit 61398 wormed their way into the servers at Lockheed Martin’s Missile and Fire Control Orlando facility—although, in the summer of 2003, Shawn Carpenter had no proof that China was responsible—yet.
After fixing the MFC Orlando hack, Shawn returned to work at Sandia National Laboratories and continued his job as usual. At night, he continued his investigation into the hackers. Every night from 2 a.m. on, he hunted them. He’d slurp down coffee and chew up Nicorette gum until dawn, then go to work at Sandia.
The hackers were difficult to track. They used multiple proxy servers to mask their identities. Whoever they were, they were professionals.
Months went by with little progress. Then in the fall of 2003, Shawn was assigned to investigate another cyber-attack. This one penetrated Sandia National Laboratories itself. The hackers’ methodology was eerily similar to the hackers at MFC Orlando—a spear phishing attack, followed by rootkits. And once again, they were frustratingly difficult to track.
Shawn suspected it was the same people. At one point, he reached out to an old friend from his military days. Currently, this friend worked for the US Army Research Labs Center for Intrusion Monitoring and Protection.
Off the record, his friend told him that these attacks were nothing new. Networks belonging to the US military and its contractors were routinely hit by cyberattacks just like the ones at MFC Orlando and at Sandia.
But there was little proof that the hackers had actually stolen anything. Shawn knew there was little he could do unless he had solid evidence—proof that Chinese hackers had breached American systems and that they’d stolen sensitive material.
Finally, ten months after he began his covert investigation, Shawn’s countless long nights of work finally paid off.
Shawn had doggedly tracked the hackers from the United States to servers in Hong Kong. Those led to servers in Taiwan, which led to servers in South Korea. There, he used a password guesser to brute force his way in.
What he found shocked him. There were beacons and hacking tools, as well as many, many gigabytes of data—millions of pages. Among them were blueprints and materials for two major Lockheed Martin projects: the F-22 Raptor, a stealth fighter plane commissioned by the Air Force, and the Mars Reconnaissance Orbiter, which was launched by NASA in 2005.
But this wasn’t even the final server. Shawn kept digging, until he traced the South Korean server to Guangdong, China. Here was the hub that linked all these servers together.
Shawn installed code that emailed him every time one of the hackers accessed them. Two weeks later, he had over 23,000 emails. This indicated that the hacking operation was much, much bigger than he thought.
Shawn finally had what he needed to finally convince his superiors. He could hardly wait until morning.
Hours later, Shawn called another meeting with his supervisor and his information security manager. This time, he came prepared with printouts. He began passing them out.
I know who hacked us. The same people who hacked MFC Orlando hacked Sandia. And I found their server.
And how the hell did you do that? the manager exploded. We told you to drop this!
I…did it on my own time.
Did you hack anyone? That could expose us to legal liability, Shawn!
Screw that! This is a matter of national security! Why can’t we just throw this over the fence to the feds and let them handle it?
Finally, the security manager spoke up.
Shawn, if you want to have a career here, you’ll drop this.
Shawn left the meeting in disgust. How the hell could he just forget about what he knew? When he joined the Navy, he swore an oath to protect his country. Now, one of his country’s biggest rivals was threatening national security.
Shawn wasn’t about to give up. He knew what he had to do next.
Act Two
So you’re some kind of vigilante, huh? The Army intelligence officer said with a smirk.
Shawn already disliked him. Well, I couldn’t just do nothing. Look, do we have something here or not?
Shortly after the disastrous meeting with his supervisors, Shawn was sitting across from two intelligence officers on a military base in New Mexico. His old friend at the US Army Research Labs Center had set this up. But Shawn couldn’t feel at ease. Just being here could cost him his job.
The officers were flipping through printouts Shawn provided—the highlights of his freelance investigation.
The other intelligence officer zeroed in on a particular page.
Are you saying they have US military secrets?
It’s all in there! They have stuff about our troop movements, about our body armor design—and that’s just the stuff I could understand.
We’ll run this up the flagpole. In the meantime, can you continue monitoring the hackers?
They don’t know I’ve hacked them. I can see everything they do.
The first officer smirked again. You’re so stealthy. Like a spider. Hey, we should call you Spider-Man.
Shawn tried not to roll his eyes, but at least military intelligence was doing something about the hacks.
In the following weeks, Shawn continued his life as before. He went to work at Sandia, and at night he continued to monitor the hackers.
He was glad someone took him seriously, but it was difficult to feel relieved. Now that military intelligence had his data, it was out of his control. There was no going back. But Shawn knew this when he made the decision to go to military intelligence in the first place.
In October 2004, Shawn got a phone call.
Shawn, we have good news and bad news. The good news is, there’s going to be an investigation into your case. The bad news is…you can’t be involved. Not with us anyway. Military intelligence can’t work with civilians. You’ll be working with the FBI.
Indeed, this was bad news. Shawn much preferred to work with the military instead of the Feds. Shawn knew that it was illegal to perform any kind of computer hacking—had been ever since the Computer Fraud and Abuse Act of 1986. Sure, the hackers had hacked Lockheed and Sandia first, but Shawn had also hacked the hackers himself.
The situation was quickly getting out of his control. He knew he had to make sure this wouldn’t blow up in his face.
Soon, Shawn was sitting in another conference room. This one was in the FBI’s Albuquerque Field Office.
Sitting across from him was a tall, thin man with a goatee: Special Agent David Raymond, nicknamed “Doc.” He was friendly and affable.
First of all, Mr. Carpenter, your work is amazing. I’ve got eight open cases throughout the United States that your information is going to. There are also three military investigations that I know about. You have caused quite a stir, in a good way.
That’s great. But I need to know that I won’t get in trouble for any of this.
I wouldn’t worry about that. You’ve done a great service.
But what Special Agent Raymond didn’t tell him was that the FBI was indeed concerned about Shawn’s hacking—to the point that it opened up a separate investigation into Shawn.
The first meeting with the FBI left Shawn with mixed feelings. Yes, it was a relief to hear that actual investigations were moving forward. But he had no guarantee that the FBI wouldn’t turn around and prosecute him for the hacking.
His wife Jennifer Jacobs agreed. You need to get it in writing, she told him one night over dinner.
Shawn and the FBI began having regular meetups around Albuquerque. In restaurants, coffee shops, hotel rooms, and even in the basement of the Law Library at the University of New Mexico. Finally, needing privacy, they began meeting in Shawn and Jennifer’s home.
During these meetings, Shawn provided updates on his investigation, but he also tried to get reassurance from Raymond.
Every time, Raymond deflected.
Listen, Shawn, everything’s going to be fine. You’re very important to us. We’re not going to come after you.
I need more than a verbal promise.
I’m not supposed to tell you this, but the FBI has a letter from the Justice Department saying we won’t prosecute.
Shawn wasn’t fully convinced that this letter actually existed. Since his case was moved to the FBI, Shawn had been reading up on another recent Chinese espionage case investigated by the FBI’s Albuquerque Field Office.
In 1998, the FBI suspected that Wen Ho Lee, a Taiwanese-American nuclear scientist at the Los Alamos National Laboratory in Albuquerque, had given nuclear secrets to the Chinese. In 1999, Wen was arrested, charged with 59 counts of espionage and other crimes, and placed in solitary confinement for 278 days.
The Justice Department tried to prosecute Wen three times, but couldn’t prove he’d actually done it. In the end, Wen pled guilty to one count of mishandling classified information.
During the ensuing autopsy of the failed case against Wen Ho Lee, the FBI discovered that the Albuquerque Field Office had totally bungled the investigation. As one auditor put it, the case suffered from “Neglect, faulty judgment, bad personnel choices, inept investigation and the inadequate supervision of that inept investigation."
On top of that FBI Agents in the Albuquerque field office also severely mistreated Wen. Among other things, they’d lied to him about whether he’d failed a polygraph test. Then, they’d told him that he’d never see his children again, and that he’d be electrocuted. President Clinton had to formally apologize for Wen’s treatment.
Shawn knew what FBI Albuquerque was capable of. The fact that the Feds wouldn’t give him a promise in writing only made Shawn and Jennifer more anxious.
Shawn installed microphones around the house that would record every conversation he had with Special Agent Raymond. Otherwise there was little for him to do but continue working at Sandia National Laboratories, hoping nobody would discover what he’d done.
But Shawn didn’t know the tide was already turning against him.
One day in late December, 2004, the FBI made a call to Bruce Held. The balding, middle-aged Held was the head of counterintelligence at Sandia National Laboratories. He was also a retired CIA agent who ran paramilitary operations in Africa.
In other words, a real saint of a human being.
Mr. Heald, I’m Special Agent David Raymond with the FBI. We’ve become aware that Sandia National Laboratories was the target of a hack. Is this true?
How the hell do you know that?
We’re working with a confidential informant. Off the record, it’s a Sandia employee.
Days later, on Janury 7, 2005, Shawn came into work at Sandia like usual. As he arrived at his desk, he found his supervisor and his information security manager already waiting for him.
Shawn, can you come with us, please?
Both of them looked grim. Uh-oh. Shawn knew there was no point in asking them what this was all about. So, he nodded and followed them to a conference room.
There, several other Sandia executives were already waiting. They’d shoved the conference table over to the side and arranged their chairs in a semicircle. One chair was waiting in the center of it, clearly for Shawn. He took a seat.
Nobody said anything. After five minutes, Bruce Held strode into the room. He grabbed a chair, placed it a couple inches in front of Shawn’s, sat down, and got right in Shawn’s face.
What the fuck were you thinking?
Shawn glared.
I’m just trying to protect my country.
You know, you're lucky you have such understanding management. If you worked for me, I would decapitate you! There would at least be blood all over the office!
Shawn looked around the room in disbelief. Was nobody going to speak up?
Obviously your employment here is at an end. And obviously you’ll be hearing from our lawyers.
Held stood up and headed for the door. Before he left the room, he turned back.
Your wife works here, doesn’t she? I might need to talk to her!
The rest of the executives filed out of the room, all avoiding eye contact. Shawn went back to his office, where his supervisor was waiting.
Really? You’re escorting me out of the building?
You know I have to.
Shawn followed his supervisor to the front gate and handed over his ID badge. He stepped through the gate, and it shut behind him, bringing his time at Sandia to an end.
Shawn walked across the parking lot, got into his car, and sat there, absorbing what had just happened. He’d just lost his job, and probably his Q-level security clearance and career, too. He could be facing lawsuits, an FBI investigation, or even jail time.
Worst of all, Shawn knew that the hackers were still out there.
Shawn sensed that the hackers were still active, planning and executing many more operations that he wasn’t even aware of. He had no idea how right he was.
Act Three
“Confused and panicked.”
That’s how one anonymous official described the American government’s response to the series of cyberattacks attributed to Unit 61398.
To be clear, details about most of the ensuing investigation are classified and have been since the early 2000’s.
But here’s what we do know.
Shawn Carpenter first brought his information to Army Intelligence in May 2004. At this point, the US Army opened up at least three investigations into the hacks. They codenamed them “Titan Rain.”
We have no idea how the Army came up with this name, so let’s just assume they named it after their favorite male strip club.
SFX: a couple seconds of Skatt Bros. “Life at the Outpost”
https://www.youtube.com/watch?v=g81HoQ6PuR0
Army intelligence realized that it was illegal for them to work with a civilian, so they passed it off to the FBI’s Albuquerque Field Office.
Special Agent Raymond was correct when he said that the information Shawn provided was fueling multiple cases.
As it turns out, the FBI had already started a task force dedicated to investigating these crimes—meaning, the FBI was already aware of them.
Even with Shawn Carpenter’s information, the FBI wasn’t making much progress. Sandia National Laboratories wasn’t alone in its reluctance to cooperate with the FBI. Many government agencies and corporations hated the idea of turning their computer systems over to the FBI, instead preferring to handle it in-house.
When the FBI shared its initial findings with the Pentagon, the Pentagon wasn’t surprised. The Pentagon had also been aware of these cyberattacks–since as early as 2003. After all, the Chinese military had been making thousands of attempts to crack its systems for years. It would be almost impossible for the Pentagon not to be aware of it.
But the Pentagon did little. It didn’t alert other federal agencies or private companies, it didn’t coordinate a military-wide investigation, and it didn’t launch any counter-attacks against the hackers.
Had it done any of these things, it’s likely it could have at least blunted the Titan Rain attacks.
But it’s not like the Pentagon had a choice. The Titan Rain attacks were the first time a country had launched a large-scale digital spying campaign against another country.
At the time, the government agency responsible for running the US Military’s computer networks was the Department of Defense’s Cyber Command, nicknamed CYBERCOM. In the early 2000’s CYBERCOM had no authority to defend military computer networks.
Protecting the rest of the federal branch fell to the newly created Department of Homeland Security. Problem was, most government agencies and large corporations already had their own cybersecurity departments, and DHS had no actual authority over any of them. The best it could do was coordinate, a process that would take days or weeks. Meanwhile, the hackers could break into a computer and steal data in as little as 10 minutes.
Worst of all, there was no federal agency protecting civilian computer networks from cyberattacks. That fell to private companies themselves—which, again, were often reluctant to share their information with the government.
These attacks began because two Chinese colonels realized that their country was unprepared for modern warfare. But because of these colonels’ efforts, now it was the United States that was caught off guard.
The time to fix these legal weaknesses would come soon enough. The Titan Rain attacks were still ongoing, and the US had to find a way to stop them.
Easier said than done. While the United States struggled to respond, the hackers working for Unit 61398 continued their work.
Again, China’s overall goal in these attacks was to surpass America in technology. But that didn’t mean that it only stole American technology. Plenty of other first-world nations had valuable information and technology that was ripe for hacking.
Beginning in 2003, Unit 61398 infiltrated systems at the UK Government’s Foreign Office, as well as several other government agencies. It did the same in Germany. These attacks wouldn’t be discovered until years later.
Then, in 2004, while Shawn Carpenter was still getting jerked around by the FBI, and while the American government still had its head in the sand about the Chinese cyberattacks, the Chinese were also targeting Canada’s largest telecommunications company, Nortel.
That year, a midlevel cyber-security advisor named Brian Shields made a horrible discovery: a Nortel executive’s email was hacked, and the hackers downloaded more than 450 documents from the company’s internal server, which housed intellectual property—technical specs on fiber optic cables, on satellites, on WiFi transmitters, you name it.
Like Shawn Carpenter had done in New Mexico, Shields traced the documents back to a cluster of servers all located in China. The discovery hit him like a ton of bricks.
Shields brought the issue to his bosses. But just like Shawn’s bosses at Sandia, they didn’t care enough to investigate the attacks. They simply changed their passwords and moved on to pursue their annual profits.
As it turned out, these hacks were conducted by Unit 61398 on behalf of the Chinese telecommunications giant, Huaiwei.
Huaiwei was founded in 1987 by former People’s Liberation Army engineer Ren Zhengfei. Lagging far behind its Western counterparts like Nortel or AT&T, Huaiwei hired Unit 61398 to conduct industrial espionage and funnel technology back to them—which it then used to advance its products.
Nortel would eventually declare bankruptcy, largely because Huaiwei underbid it on several contracts around the world.
When the FBI received Shawn Carpenter’s information in late 2004, it wasn’t yet aware of these international cases. The FBI task force and the Pentagon had their hands full investigating the Titan Rain attacks on government and military computers.
The attacks on Lockheed-Martin and Sandia National Laboratories were the tip of the iceberg. Over 100 American military networks had been compromised in the Titan Rain attacks. A partial list includes:
-U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona;
-Defense Information Systems Agency in Arlington, Virginia;
-Naval Ocean Systems Center in San Diego, California;
-and Army Space and Strategic Defense Command in Huntsville, Alabama.
Worst of all, the hackers responsible for these particular attacks left few to no digital footprints that could be used to identify them by name.
The only real option was to catch the hackers in the act.
As before, the hackers for Unit 61398 continued their work. By the time the US government was realizing the scope of the Titan Rain attacks, Unit 61398 evolved its tactics. Like it had in Canada with Nortel, now it would be targeting American corporations.
Earlier, we mentioned Huang Zhenyu, the hacker who specialized in industrial espionage in the iron and steel industries. He was just one of a new wave of hackers who joined Unit 61398 in 2006, and began hacking American companies.
But the Pentagon still had one more punch to take.
By the spring of 2007, the American government and its allies were well aware of China’s cyberwarfare program—but the public was just beginning to learn the truth.
That spring, the Pentagon’s cyber security team detected an unauthorized intrusion into its unclassified email system. This forced the Pentagon to shut down its email system for three weeks, affecting 1,500 employees.
The Chinese military was almost automatically a suspect—but at this point, there was still little the United States could do.
When asked if he was personally affected by the email hack, Secretary of Defense Robert Gates said,
No. I’m a pretty low-tech person. I don’t really do e-mail.
Act Four
It would take several more years before Unit 61398’s activities were finally exposed—or at least some of them.
Beginning in 2006, the Justice Department began working with the cybersecurity firm Mandiant. It was founded by Kevin Mandia, a former Air Force computer security officer and later a special agent in the Air Force Office of Special Investigations.
Over the next seven years, Mandia and his small team painstakingly combed through every attack involving Unit 61398 that they could find.
Altogether, they discovered evidence of more than 100 hacks into American companies, from Telvent Canada, which makes software for the smart grid, to Coca-Cola.
In the latter case, Unit 61398 hacked into Coke’s system while the beverage giant was negotiating to purchase Chinese beverage company China Huiyuan Juice Group for $2.4 billion—even more evidence that the Chinese military worked directly with the Chinese private sector.
The average hack lasted 356 days—meaning, once the hackers Trojan Horsed their way into these computer systems, they lingered for almost a year, gathering data and observing the company’s internal operations. The longest hack lasted four years and 10 months.
Mandiant identified three Unit 61398 hackers by their aliases: there was the pun-loving UglyGorilla, as well as DOTA, and SuperHard. Yep, SuperHard–which also happens to be the name of the most popular dancer at Titan Rain.
Mandiant was even able to pinpoint the hackers’ location—the 12-story office building in Shanghai.
The following year, the Western District of Pennsylvania under Attorney General Eric Holder issued a 31-count indictment against five Chinese hackers:
The hackers included Wang Dong, aka UglyGorilla; Wen Xinyu, the philosophy nerd who enjoys Angry Birds; and the steel and iron industry specialist, Huang Zhenyu.
The military officers included the middle-aged career bureaucrat Sun Kailiang, and his younger protégé Gu Chunhui.
Altogether, these five men were accused of hacking into just six computer systems, at
-Westinghouse Electric Co.,
-The U.S. subsidiaries of SolarWorld,
-United States Steel Corporation,
-Allegheny Technologies Inc,
-The United Steelworkers Union
-and Alcoa Inc.
That’s just a small fraction of the total number systems they’ve broken into.
Like we’ve seen before, these indictments are unlikely to lead to a conviction. It’s not like China would ever extradite hackers to the US to face trial. To do so would be to admit that its hacking program exists—which so far it refuses to do. At best, all the indictments can do is make it difficult for these five men to travel internationally—assuming these men do actually exist.
Still, these indictments did make the public and the international community more aware of China’s widespread cyberwarfare campaign—even if terabytes of intellectual property had already been stolen.
As for Shawn Carpenter, the FBI decided not to prosecute him for any of the hacks, seeing as he had contributed to so many investigations.
But Shawn’s fight wasn’t over. In 2005 he filed a lawsuit against Sandia National Laboratories for wrongful termination. While Shawn did admit to hacking computers, he also convinced the judge that Sandia had explicitly encouraged him to do so. Among other things, he produced a memo urging Sandia’s IT team to. “think like hackers” to determine the source of the nuclear weapons lab’s cyberattacks.
At the hearing, Sandia counterintelligence chief Bruce Heald admitted to threatening to “decapitate” Shawn, but denied saying there would be “blood all over the office.”
Shawn won a $4.7 million settlement. He regained his security clearance, and he still works in the cybersecurity industry today. Shawn’s wife Jennifer Jacobs also resigned from Sandia and now works as a White House fellow.
The story of Titan Rain is ultimately the story of Unit 61398 of the People’s Liberation Army—an organization that’s still active today, and that’s still shrouded in mystery. However, Unit 61398 is just a small part of the story of China’s cyberwarfare program.
In its report mentioned earlier, Mandiant said it was monitoring more than 20 distinct cyberwarfare programs originating in China. Some were military, like Unit 61398. Others were made up of civilians—but no less dangerous.
The attacks would keep coming. Titan Rain might have been stopped, but China’s cyberwar on America and the west was just beginning. And China was quickly catching up.
Next time on Modem Mischief, we delve into China’s civilian hacking program, with the story of Wicked Rose & The Network Crack Program Hacker Group. I’m Keith Korneluk and you’re listening to Modem Mischief.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon. For as little as $5 a month you’ll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka SuperFlacid. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!