Cyberwar (2016) s01e04 Episode Script

Hacked by China

1 BEN: Two powers compete to dominate the global market.
We know foreign countries and companies swipe our corporate secrets! China breaks the rules in its quest to become the world's economic superpower.
There's two types of companies left in the United States: companies that have been hacked by China, and companies that don't know they've been hacked by China yet.
Chinese hackers breach American corporations under direct orders from Beijing.
This is oftentimes a military operation, and you don't disobey orders in the military.
Billions of dollars worth of US trade secrets are stolen every year.
The people behind the keyboard think they're anonymous, and these charges show you are not.
What will it take to stop the theft? In July 2015, the Washington-based US Office of Personnel Management announced that the private records it kept on more than 22 million American civil servants had been stolen.
The US government never formally blamed China, but plenty of unnamed officials made the accusation in the press.
Bill Evanina is in charge of ombatting foreign intelligence hreats for the US government.
I think the intelligence community feels pretty confident we feel - with who's involved, but I'm not quite sure the administration has yet come out and identified or attributed that data, but we're pretty confident we know who is responsible.
What did they take? What they stole, the perpetrators, were the SF86s and SF85s, which are the standard forms in which employees fill out to obtain security clearances.
On those forms had a lot of proprietary information about you, who you live with, your social security number, your date of birth, what schools you went to, your employment history.
So a lot of significant personal identifiable information that we consider very sensitive.
And how long will the intelligence community in the United States be feeling the ramifications of this? Ooh, I'm not sure we could put it in terms of years, but I would say maybe decades.
I don't think this is anything that's going to be over in a year or two.
I think the data that's on these forms can be used to target US government employees and contractors for many, many years.
- Were you personally - Absolutely.
You were personally impacted by it? Absolutely.
So I am one of the 22 million victims that have been identified in the OPM intrusion.
So all my personal data, from when I filled out my original form and subsequent background of investigations that I've gone through, has been compromised.
How does that make you feel? Like a victim.
Even though OPM was bad, it was classic espionage.
Most countries would do it given the chance.
But hacking US corporations to make money off of their property is another story.
We've agreed that neither the US or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, for commercial advantage.
In addition, we'll work together and with other nations.
President Obama has reason to be concerned.
For years, Chinese hackers have been a problem for erican business, but most mpanies kept quiet about it.
And then Google broke the silence on their blog in January 2010.
The American technology giant had been hacked, and China was to blame.
But Google wasn't the only company targeted.
It was just the first one to go public.
A slew of other Fortune 500 corporations were also hacked in an attack now known as Operation Aurora.
What was interesting about Operation Aurora wasn't that it was some kind of new attack.
It was that it was the first time an American company had had the courage to stand up and point the finger at China and say, "We know you did this.
" Nicole Perlroth is a cyber security reporter for The New York Times, and she's written extensively on Chinese hackers.
And Google, as open as they were about who had done it, they've been relatively close-lipped about what exactly was stolen.
But the word on the street is that the Chinese were actually able to get a fair amount of Google's source code.
That source code could help Chinese hackers break into Google's products, or to replicate them in the future.
What do we know about Chinese espionage? We know that China has basically made it a core part of its economic mission to stop being the world's manufacturer and start innovating.
Every five years, you see a new industry that China wants to excel at, and suddenly you just see a rush of cyber attacks towards whatever industry China has said that it wants to dominate in.
It's paint formulas.
It's Coca-Cola's negotiation strategies.
It's think tanks.
It's diplomats.
It's university professors.
It's law firms.
People have started to realize that this actually has become a serious issue, or? I think it made people realize that some of the most vibrant companies in the United States were major targets, but I think it took another 5 years for companies that thought, "Why would we ever be the target of a state-sponsored Chinese cyber attack?" to wake up and say, "Oh shit, we've been a victim too!" But how was everyone so sure China was behind Operation Aurora? I went to Washington to talk to Dmitri Alperovitch, one of the first people to analyze the attack.
He worked with many of the companies who were affected.
So how was it done? It was actually pretty ingenious.
So they actually identified people inside the organization that they were able to approach, and social engineer them to click on a link.
So you're talking about phishing emails with malware payloads.
That's right.
In some cases, it was actually an instant message, not even an email, that once you click on that link, your machine is compromised and the attackers take over.
And how did you figure out it was China? Once we started tracking all the machines that were involved in the compromise, and there were these multiple of machines that were set up for command and control, and where the connections into those machines were coming from, we started to see signs that were pointing to Chinese activity.
And later on, as we expanded the investigation, we started to uncover other activity that we were able to tie together to this group that we now call Aurora Panda, a Chinese nation state group that is really conducting, to this day, espionage activity into numerous organizations, government agencies, as well as private-sector organizations across the globe.
Operation Aurora offers a glimpse into how Chinese hackers work within the country's government.
(Soldiers chanting) And more specifically, its military branch: the People's Liberation Army, otherwise known as the PLA.
With these type of actors, they get in and they wanna stay as long as possible, because they have a collection priority.
And even if they get discovered and kicked out, oftentimes they're back in or trying to get back in the next day because they still have a mission to do, right? This is oftentimes a military operation.
You have a PLA general that's coming to you as a soldier in the PLA saying, "I need you to get this information for me from this company.
" And you don't stop because it's hard, you don't stop because you've been discovered.
You keep on going because you were given a mission by your boss to do so, and you don't disobey orders in the military.
And you need to achieve that objective.
Absolutely.
The hackers deployed malware using an unfixed flaw in Internet Explorer.
This is a real spear phish we detected in one of our customers.
So let's go to our victim machine down here.
I have an email that's arrived from a good friend of mine, and there's a Word document attachment that I want to take a look at.
So who wouldn't click on this? I certainly would.
So we just had the connection from the victim show up here.
So this is our machine, our victim machine, that we are able to take over.
I can go to this wonderful file manager, which looks like just any file manager you would normally have.
So I literally can just highlight this and click "Receive", and it sends it over to my machine.
That's as easy as it gets.
Operation Aurora showed that China was hacking some of America's biggest companies, and many of the attacks were attributed to hackers linked with the People's Liberation Army.
BEN: If the Google hack and others like it are state-sponsored, that means the Chinese government is brashly stealing American intellectual property with one hand while making new trade deals with the other.
The New York Times and Nicole Perlroth aired with a cyber security irm, Mandiant, to track down the physical location of some of the hackers.
And they found them in Shanghai at a PLA unit known only as 61398.
We were able to trace thousands of attacks on US companies and companies in Europe and universities and research companies and think tanks back to this one building in Shanghai.
And it was the first time a security firm had publicly pointed to not just to China, but to a very specific unit of the PLA.
There weren't a lot of windows, but it was clear they had some great satellite technology, and it was very well guarded.
But other than that, it was completely nondescript.
It was not as high-tech as Fort Mead, but it was very clear this was actually a military compound.
To understand 61398, first you have to understand the relationship between business, government, and the military in China.
Melissa Chan worked in Beijing as a correspondent for Al Jazeera for 5 years.
Her reporting on politically sensitive issues got her kicked out of the country.
Did they give you a rough time when you were there? They gave me and every foreign reporter a rough time.
We all thought the reporting environment in 2012 was pretty bad.
That was around the time when I left, and it's just gotten worse according to foreign reporters still based there.
What do you make of Obama making cybersecurity top of the list when it comes to dealing with China? I think it indicates how bad that situation is with cyber espionage.
Every government has cyber espionage, right? Including the United States.
You won't have an American intelligence officer meet with a Fortune 500 company CEO and just hand over data, and say, "Here, this is what we got from the Chinese.
" But we do know that the Chinese do not see that differentiation.
I mean, the thing you have to understand about Chinese companies, even publically traded companies that are owned by private Chinese you know, that were started by private Chinese citizens, is that there's a corner office somewhere where there's a Communist Party representative.
So the Communist Party's never far away from any Chinese company.
There's always a connection to the government.
I spent months trying to speak with Chinese hackers.
When I finally came close, I was shut down at the last minute.
But I did get a glimpse through cybersecurity expert Ian Amit.
Amit met with Chinese hackers at a tech conference in China.
IAN: We went to what was called Excalibur Con.
A bunch of us - "us" is Western security professionals, speakers, hackers, whatever it is - were invited to speak.
Were you ever offered to work for the Chinese government? Yeah, yeah.
They just came out and asked you? Pretty much, yeah.
What was your response? No.
(Laughing) A very nice "no", but Yeah, they had us, you know they even took us to a tour in a business office building that was empty.
And you know, walked us around, showed us, you know, "This can be your office.
Do you want the corner office? How many people do you need working for you?" And they're not talking about like five or six, like, "Do you need 50, 60, 100?" BEN: So this is the office you'd be given.
IAN: Yeah, and again, they built this in a year.
One year, everything.
Roads, residential Again, resources is not a problem.
You just have a lot of people build shit.
How do you gauge Chinese hackers compared to, you know, let's say the NSA? I would say the same rate, the same level.
Really? If you assume any less of that, you're a fool.
Then why are they trying to poach American and Israeli More, more.
Having a diversity is key in cybersecurity.
A lot of times when you bring in people that are not necessarily from your field of expertise, can can be a huge leverage in terms of your capabilities.
I would do the same.
I would try to recruit, I would try to tap into whatever resources there are that I'm not aware of that can enhance and enrich my capabilities.
If they're grooming their local cyber expertise in-house, if I were on their end, I would try to do the same.
I would try to bring in a lot of outside perspective, a lot of different thinking, different approach, because that's the key, especially in a game like cybersecurity.
You have to be adaptive, you have to be creative.
- For innovation.
- Exactly, yeah.
Where the loss of American intellectual property was once kept secret, by 2014 the Obama Administration was no longer silent.
For the first time, the Department of Justice charged Chinese military hackers for breaking into US corporations.
Today, we are announcing an indictment against five officers of the Chinese People's Liberation Army for serious cybersecurity breaches against six American victim companies.
These represent the first ever charges against known state actors for infiltrating United States commercial targets.
The DOJ put five Chinese hackers on the FBI's Most Wanted list, all of them officers in the PLA's 61398.
John Carlin tracks nation states infiltrating US corporations.
You'll see the activity from the location of this unit of the PLA, 61398.
It starts around 9:00am, and you see the spike in activity.
You go to around lunch.
They get a little lunch break, and the activity goes down.
Then it resumes again until the end of the day.
And there seems to be roughly a 9-to-5 - Government job.
- A government job.
So we just can't it's not fair to American companies.
And what evidence did you have against them? We showed specific actions on specific times on specific dates, and photographs of the individuals as they went into company systems from these dedicated hacker thieves who are going in day in and day out to steal information.
But they are wearing PLA member uniforms.
If this is a nation state attack, why single out individuals? We're not charging a country for generically doing something bad.
We're proving up specific facts against particular people by name, by date, here is what they did.
So in this case, we were able to figure out the name and the face behind the keyboard.
And the reason why our companies are getting hammered day in and day out by this type of theft is because the people behind the keyboard think they're anonymous, and these charges show you are not.
And the fact is just because you're wearing a uniform shouldn't give you a free pass when you commit that same type of theft.
China was stealing some of America's most precious intel, the kind of trade secrets that keep economies growing.
For some companies, the results were devastating.
BEN: China has been targeting all sorts of American companies for trade secrets.
Daniel McGahn is president of American Superconductor, or AMSC.
The company specializes in power technologies such as wind turbines and superconducting wire.
In an effort to protect against hacking, they kept their valuable source code on an offline server.
But in 2011, one of McGahn's employees took a $2 million bribe to hand over AMSC software code to a state-owned company in China.
Welcome to the future! The story really kind of falls out of a you know, a 1960s, 1970s vintage spy movie.
The individual was approached, the individual was turned, there was offered money, home, women.
The way he was motivated was in the techniques of spy craft.
He had a penchant for writing everything down.
If you know Skype, he tended to use Skype to be able to communicate and transfer files.
So we were able to basically obtain everything, from motive to when the transfers happened, who received them, and kind of the end part.
You know, ha ha ha, they won't need American Superconductor anymore.
And what was the fallout? The fallout was we had a stock that was at about $25, and it went to $12.
5 in a day.
So we went from about $1.
5, $1.
6 billion to $800 million in evaluation in a day.
So the stock completely collapsed.
We know we're on a targeted list of a lot of companies in North America, that the Chinese are looking to obtain any valuable technology that they can.
So we've had to try to develop a capability to protect such attacks.
So you're saying the People's Liberation Army has targeted your company in hacking operations to steal corporate secrets? They've been happening since this event, and they've been happening subsequently on a very regular basis.
What we've seen is when we've gone back and we've used third parties to try to validate, you know, where did these attacks come from, and the entities that at least that they're telling us are directly linked to the PLA and China, the People's Liberation Army, there is a move within China to do this as part of kind of normal operation of business.
And do you think this is sort of a precursor to China trying to overtake America economically? I don't see it as a precursor; it's happening.
The desire is for China to be 1.
They have the largest population in the world.
Why shouldn't their economy be the largest? Even after all this, would you still do business in China? We still do.
We still see China as an opportunity, but those products have to be paid for.
Customers pay.
To add insult to injury, a wind turbine that was built by China and sold back to the US was running on the stolen source code.
AMSC eventually replaced the turbine's controller and software with their own tech.
Hoo! So this is actually one of the controllers that was stolen? Yes, yes.
So the software stolen, and the actual programming of the turbine.
This turbine's close, but it's definitely different.
Oh my god! Ho! We are definitely 72 meters in the sky.
BEN: But it's not as if the US isn't spying on Chinese corporations.
In 2014, Edward Snowden leaked a trove of National Security Agency documents that revealed Huawei, a Chinese telecom giant, was a US target.
And according to the German magazine Der Spiegel, the NSA managed to access the source code of Huawei products in order to tap communications of targets who use them.
But the US government says there's a difference between traditional espionage and stealing trade secrets for profit.
So the administration is still holding out the threat of sanctions.
Do you think sanctions and diplomatic ploys, do you think that'll really work? It will work because look at what they're stealing here.
In one case that we charged, they were stealing the formula for the colour white.
That is not a national security secret.
They are stealing that so that they can compete and make paint, white paint that people think is popular.
That's all driven by profit.
This is a cost-benefit game.
As long as they think it's cost-free to steal this information, they're going to continue to do it.
And we need to keep raising the costs until the behaviour changes.
With the help of stolen American-made IP, China has set it's sights on overtaking the US as the 1 economic superpower in the world.
If we could put a dollar value on all this hacking against corporate America, what would it be? It's impossible at this point.
People have tried.
The former commander of Cyber Command has put it in the trillions.
There's just How do you put a price on intellectual property? And is this just the beginning? Or what's the future hold for corporate America? I think it's a question of is it too late? Has the IP already left the building? And if it has, are we going to suddenly see carbon copies of Benjamin Moore and Coca-Cola and Lockheed Martin pop up in China over the next 10 years? And the next chapter is: when are we going to see China really using our own intellectual property to their economic advantage? And I don't even think we've seen the beginning of that yet.
s tough to know what's next when China keeps such tight control on their hackers, and almost no information leaks out of the country.
But it's also hard to believe that the sophisticated cyber force of a rising superpower suddenly just change MO because America said so.

Previous EpisodeNext Episode