0:03

Within a few decades,

0:05

the Chinese economy went

0:07

from agrarian backwater to

0:10

manufacturing middleman, to world-class

0:12

innovator in its own

0:14

right. American companies had

0:16

been the pioneers, the

0:18

innovators, but somewhere along

0:20

the way, we got

0:22

beat at our own

0:24

game. And in too

0:26

many cases, it was

0:28

with our own stolen IP.

0:30

Throughout the 2010s, examples

0:32

surfaced everywhere. The world's

0:35

top telecom player, Huawei.

0:37

They're the biggest supplier

0:39

of telecoms equipment in the

0:41

world. So why are countries

0:44

increasingly turning away from Huawei?

0:46

The world's top solar panel makers,

0:48

all Chinese. The first solar panels

0:50

were invented in America in 1954.

0:53

And yet it's been China that's

0:55

been better able to capitalize on

0:57

the technology. Now, China controls over

0:59

80% of the global solar panel

1:02

supply chain. While the United States

1:04

manufactures virtually none of the

1:06

required components for solar panel

1:08

production. The fastest growing social

1:11

media app? Tiktak. Tiktak is the

1:13

latest app to capture the attention of

1:15

teens and young adults across the world.

1:17

The app came as the number one.

1:20

downloaded app of 2018. Even the

1:22

drones flown by US law

1:24

enforcement are no longer American.

1:27

For almost the last

1:30

two decades, Chinese-made

1:32

drones have dominated

1:34

the consumer market. China's

1:36

DJI owns the sky.

1:38

As for electric vehicles,

1:40

it's not Tesla anymore.

1:42

As of 2023, it's

1:44

China's B-Y-D. In the world

1:47

of electric vehicles, Tesla has

1:49

reigned supreme. But its days

1:51

as top dog may be

1:53

numbered. In China, the world's

1:55

largest EV market, it's been

1:57

losing ground to domestic automakers

1:59

as a ruthless price war.

2:01

has inflamed an already competitive

2:03

market. Nobody was connecting the

2:05

dots back to Chinese hacking.

2:07

Nortel didn't just disappear. Huawei

2:09

stole it. China subsidized it.

2:11

And they made it so

2:13

cheap, it wiped Nortel off

2:15

the map. Now, that's not

2:17

to say that Chinese companies

2:20

aren't innovative. It's just that

2:22

they were playing by different

2:24

rules. The hacking... The outright

2:26

theft gave them a huge

2:28

leg up, and all that

2:30

leapfrogging came with a heavy

2:32

price tag for American companies,

2:34

American workers, really the American

2:36

people. That time period was

2:38

the most dangerous in America's

2:41

history, I think, because we

2:43

really got a superpower elevated

2:45

probably 50 years of IT

2:47

advancement in a five-year period,

2:49

because developing all that on

2:51

your own would never have

2:53

happened. And, in my opinion,

2:55

America's companies would have dominated

2:57

China had they not been

2:59

able to build their own

3:01

Chinese companies with the IP

3:04

they stole. That was Dave

3:06

DeWalt. who had a front

3:08

row seat to these developments

3:10

as CEO of McAfee and

3:12

later fire eye. Anyone tracking

3:14

Chinese cyber theft over this

3:16

period could have told you

3:18

that this was all entirely

3:20

predictable. But even as the

3:22

hacking reached absurd levels, America's

3:25

leaders in business and government

3:27

were still hesitant to sound

3:29

the public alarm. Fears of

3:31

upsetting the world's largest market

3:33

still ruled the day. Gots,

3:35

where a certain government shorthand

3:37

came in. By the end

3:39

of the Bush administration, there

3:41

was a recognition that Chinese

3:43

cyber activities had reached troubling

3:46

levels. This is where the

3:48

famous phrase APT came from.

3:50

The Bush administration didn't want

3:52

to say China. So they

3:54

called it advanced persistent threat.

3:56

That's code for China. I'm

4:00

Nicole Pearlroth and this is

4:02

to catch a thief. I

4:04

learned the meaning of advanced

4:06

persistent threat back when I

4:08

was at the New York

4:10

Times. I was reporting out

4:12

a wild story about how

4:14

Chinese hackers had broken into

4:16

one oil company. They tried

4:18

to break in all the

4:21

usual ways, mainly through fishing

4:23

emails, but when that didn't

4:25

work, They searched for the

4:27

company's employees on Facebook and

4:29

discovered several of them had

4:31

liked the same Chinese takeout

4:33

restaurant. So what did they

4:35

do? They hijacked the restaurant's

4:37

PDF takeout menu. When the

4:39

oil company employees went to

4:41

order some general sauce chicken,

4:43

they got a helping of

4:45

Chinese malware instead. Once they

4:47

were in, getting these Chinese

4:49

hackers out of your systems,

4:51

Finding and closing every backdoor

4:53

was a huge challenge. In

4:55

one case, the U.S. Chamber

4:57

of Commerce, basically the country's

4:59

biggest business lobby, discovered they'd

5:01

been breached by Chinese hackers.

5:03

They brought in the FBI

5:05

in private security firms and

5:07

believed they'd cleaned house. But

5:09

then months later, one of

5:11

their printers inexplicably started printing

5:13

out reams of documents in

5:15

Mandarin. Separately, some of their

5:17

lobbyists started complaining that the

5:19

thermostats in their corporate apartments

5:21

in DC were acting funny.

5:23

Upon closer inspection, both the

5:25

printer and these thermostats were

5:27

still communicating with IP addresses

5:29

in China months later. This

5:31

was the level of persistence

5:33

we were dealing with. Back

5:35

to Dave DeWalt. This was

5:37

stuff we hadn't seen before.

5:39

The epiphanies of a major

5:41

government stealing from... American companies,

5:43

directly government on business, and

5:45

then government on security companies

5:47

to business was something we

5:49

had never seen. And so

5:51

that was a wake-up call

5:53

for all of us to

5:55

go, wow, okay, this is

5:57

beyond government on government espionage

5:59

and activities. But when you

6:01

start seeing little companies, almost

6:03

measured by a press release

6:05

coming out as a series

6:07

A investment, getting hacked by

6:09

the Chinese, you knew. You're

6:11

in a whole new era,

6:13

and that's the era I

6:16

grew up in. These days,

6:18

DeWalt runs his own cybersecurity

6:20

investment firm, Night Dragon, and

6:22

yes, he named his firm

6:24

after the Chinese hacking campaign.

6:26

Some of these theft still

6:28

haunt him. I spoke at

6:30

an airline transportation summit, and

6:32

I showed 150 breaches on

6:34

how China built his next

6:36

generation jet. So they stole...

6:38

all the parts to the

6:40

jet from the airframe to

6:42

the avionics to essentially, and

6:44

it was, I wanted to

6:46

call it the C919, but

6:48

I showed the entire airframe

6:50

and avionics and every confirmed

6:52

breach that showed how they

6:54

had a strategy to build

6:56

the entire aircraft from the

6:58

breaches of American companies. Now

7:00

it took them a while

7:02

to get it off the

7:04

ground because, you know, it's

7:06

not easy just to steal

7:08

it and build it. There's

7:10

a lot of engineering process

7:12

that goes with it, but

7:14

eventually they did. and now

7:16

they have their own capabilities

7:18

to build their own aircraft

7:20

commercial airliners that all came

7:22

from breaches of the US.

7:24

The Comac C-19 came to

7:26

market in 2008. It took

7:28

another 10 years for the

7:30

US Justice Department to detail

7:32

in an indictment how Comac

7:34

narrowed the technological gap between

7:36

what it could build and

7:38

what its Western competitors could

7:40

do. Before 2008, Comac relied

7:42

on companies like Arabas, G.E.,

7:44

Honeywell, Belgium Saffrin, for major

7:46

components. But China was determined

7:48

to help Comac, which is

7:50

short for commercial aircraft corporation

7:52

of China, stand on its

7:54

own two feet. Chinese spies

7:56

bribed employees at these Western

7:58

suppliers to hand over trade

8:00

secrets, and some of them

8:02

did. A few are now

8:04

in jail. But what China's

8:06

spies couldn't get from human

8:08

sources, they stole in a

8:11

brazen series of cyber attacks

8:13

against Honeywell, capstone turbine, GE,

8:15

and Saffrin. Crowdstrike in a

8:17

report of its own concluded

8:19

that those hacks helped Comac

8:21

trim quote, several years and

8:23

potentially billions of dollars off

8:25

its development time. And that

8:27

was all for just one

8:29

airplane. When you look at

8:31

solar industry, there are so

8:33

many attacks on the solar

8:35

where they'd flood solar panels

8:37

back into the US down

8:39

to the exact bolt with

8:41

the same serial number of

8:43

the solar panels that were

8:45

stolen. I mean, we could

8:47

match it to the Chinese

8:49

maker with the exact same

8:51

characteristics with the same serial

8:53

number that was stolen from

8:55

a US provider. And we

8:57

have a lot of cases

8:59

of this. I'm not sure

9:01

how many are able to

9:03

share down to the company

9:05

names, but I mean, we

9:07

saw restaurants that were opening

9:09

in China with the exact

9:11

recipes of the food that

9:13

was served. Like we saw

9:15

good luxury goods makers who

9:17

had their products stolen down

9:19

to the handbag process of

9:21

manufacturing. Back when DeWallett was

9:23

CEO of Maccalfey and then

9:25

Firei, he handed the Obama

9:27

administration a list of American

9:29

companies he believed were getting

9:31

raided handover fist. Over the

9:33

next few years, as the

9:35

government debated what to do.

9:37

How far they were willing

9:39

to go to make China

9:41

stop. Whole companies, entire towns,

9:43

were eviscerated by Chinese IP

9:45

theft. If you go back

9:47

to 2008, window, there's a...

9:49

of town stories like that,

9:51

whose entire businesses and towns

9:53

were wiped out by Chinese

9:55

product that flooded the market

9:57

less than one year of

9:59

the espionage attack. Some of

10:01

the lives that were affected

10:03

and the people that were

10:06

affected are pretty dramatic because

10:08

entire factories and towns were

10:10

built around the manufacturing of

10:12

American good. that suddenly was

10:14

sold for a fraction of

10:16

the price below cost to

10:18

defeat the American by its

10:20

own product down to a

10:22

serial number. Today Solar World

10:24

here in Hillsborough has about

10:26

700 employees but by 2015

10:28

they say they will have

10:30

an additional 200. The company

10:32

is adding a solar panel

10:34

production line. 20 miles west

10:36

of Portland, Sitts Hillsborough, Oregon,

10:38

a town locals refer to

10:40

a Silicon Forest because a

10:42

number of big tech companies

10:44

have factories here. Intel, Salesforce,

10:46

and until recently Solar World,

10:48

a German solar company, housed

10:50

the largest solar cell manufacturing

10:52

facility in North America here.

10:54

At its peak, Solar World

10:56

hired more than a thousand

10:58

locals. The company was among

11:00

the first in the world

11:02

to manufacture a next-gen solar

11:04

cell that was highly coveted

11:06

for its efficiency and flexibility.

11:08

These solar cells allowed panels

11:10

to work in lower light

11:12

conditions and in extreme heat.

11:14

I use solar world panels.

11:16

I use solar world panels

11:18

because. We can trust them.

11:20

By far the best module

11:22

manufacture that there is in

11:24

the world. German engineering, American-made,

11:26

that hits home for most

11:28

people. The rate at which

11:30

the innovation was taking place,

11:32

rate at which we were

11:34

implementing and breaking new ground,

11:36

was just breathtaking. That competitive

11:38

edge put solar world in

11:40

Chinese hackers crosshairs. The CCP

11:42

first highlighted solar energy on

11:44

its five-year plan in 1981,

11:46

and solar has made every

11:48

five-year plan ever since. In

11:50

2012, SolarWorld discovered Chinese hackers

11:52

had broken into its network

11:54

and passed its crown jewels

11:56

over to Chinese state-owned enterprises.

11:58

Soon, those companies aided by

12:00

Chinese subsidies were dumping cheaper

12:03

copies of SolarWorld's panels into

12:05

US markets. SolarWorld fought back

12:07

both in court and in

12:09

the corridors of Washington, where

12:11

they lobbied for tariffs on

12:13

Chinese panels, but it wasn't

12:15

enough. By 2017, Solar World

12:17

laid off more than 800

12:19

of its Hillsborough factory workers.

12:21

The factory shuffled hands through

12:23

a series of takeovers and

12:25

ultimately closed up shop in

12:27

2021. Emotions are mixed here

12:29

at financially troubled Solar World.

12:31

We're in the process of

12:33

laying off people. Spokesman Ben

12:35

Santaris tells me the layoffs

12:37

at Solar World have been

12:39

happening for the last couple

12:41

of months. U.S. solar manufacturers

12:43

are finding it next to

12:45

impossible to compete. with much

12:47

cheaper imports flooding the market,

12:49

mainly from Asia. People are

12:51

being affected, they will be

12:53

affected all the way up

12:55

and down the value chain

12:57

in the US. We're sad

12:59

to have to say farewell

13:01

to our peers, but it's

13:03

a necessary move that we

13:05

need to make in order

13:07

to survive. When you start

13:09

to look at it through

13:11

the lives of people like

13:13

that, who lost their jobs,

13:15

had to go on Social

13:17

Security, or had to migrate

13:19

out of the cities. because

13:21

of the Chinese espionage, it's

13:23

a real factor. These shudderings

13:25

were happening to hundreds of

13:27

companies and towns across America.

13:29

Some, like SolarWorld, tried to

13:31

fight back. Here, Steve Stone,

13:33

he worked with a turbine

13:35

maker that discovered its Chinese

13:37

competitor had copied its hardware

13:39

and software, down to mistakes

13:41

in the original source code.

13:43

There was only a handful

13:45

of companies that really built

13:47

that technology. both the software

13:49

and the hardware. And one

13:51

of those US companies went

13:53

out of business and then

13:55

they sued the Chinese government

13:58

in US court because they

14:00

said they literally stole our

14:02

design and then they just

14:04

sold turbines at a much

14:06

discounted rate and they displaced

14:08

our business. And the court

14:10

case came down to an

14:12

actual source code review and

14:14

it had the US company's

14:16

name in the Chinese source

14:18

code. The US company went

14:20

and bought one of these

14:22

Chinese turbines and then just

14:24

mapped everything out. So they

14:26

were able to say this

14:28

isn't just. a manifestation of

14:30

our source code. It's our

14:32

actual source code. We're going

14:34

to point out spelling errors.

14:36

Our actual company is in

14:38

this. And that company no

14:40

longer exists. It was taken

14:42

to create a viable Chinese

14:44

business, which now is one

14:46

of the top turbine producers.

14:48

This is a very much

14:50

a long game for the

14:52

Chinese side of the house.

14:54

It's worth noting that four

14:56

of the world's top five

14:58

turbine makers are now Chinese

15:00

companies. Meanwhile, Western competitors, like

15:02

Capstone Turbine, filed for bankruptcy

15:04

in 2023, citing decreased demand.

15:06

Factories closing, towns hollowed out,

15:08

and yet so many Chinese

15:10

cyber attacks flew under the

15:12

radar, mainly because victims were

15:14

so reticent to step forward.

15:16

Scared with the disclosures would

15:18

mean for their reputation, for

15:20

their stock price, for class

15:22

action lawsuits, That's why our

15:24

own disclosure of the Chinese

15:26

breach of the New York

15:28

Times was such a game

15:30

changer. We've been reporting on

15:32

the warnings and seeing the

15:34

examples over and over state-sponsored

15:36

computer hacking of American companies

15:38

by China, well tonight. It's

15:40

the news media itself under

15:42

siege, including some very big

15:44

names. The New York Times

15:46

has been hacked. The New

15:48

York Times says hackers have

15:50

been attacking its computer system

15:53

for the past four months,

15:55

even managing to get passwords

15:57

for individual reporters. Just before

15:59

I hit publish on... that

16:01

story. I'd done what any

16:03

serious journalist does. I'd called

16:05

the Chinese consulate, walked them

16:07

through everything I had, and gave

16:09

them the chance to comment or

16:11

refute the story. What I got was

16:13

a full-throated denial. To

16:15

accuse the Chinese military of

16:18

launching cyber attacks without solid

16:20

proof is unprofessional and

16:23

baseless. I included that denial

16:25

word for word in the story.

16:27

China's denial, especially the part

16:29

about no solid proof, didn't sit

16:32

well with Kevin Mandia. For years,

16:34

he tracked the group behind our

16:37

hack, a group Mandient called APT1.

16:39

Officially, the group was a Shanghai-based

16:41

unit of the People's Liberation Army,

16:44

unit 61398. Mandient knew the group

16:46

better than most. It had traced

16:48

their movements to more than 100

16:51

breaches in the US. They had

16:53

their online handles. They had their

16:56

physical address. A hundred and forty-one

16:58

times we did investigations and it

17:00

went back to this bucket of

17:02

evidence or fingerprints to APT1. They're

17:04

unbelievably persistent. Like you get these

17:06

guys out of your network, they're

17:08

just back the next day. There

17:11

was no doubt they were badging

17:13

into a building and this was

17:15

their job. When Mandia read China's

17:17

denial in my story, he decided

17:20

screw it. Let's show them the

17:22

proof. He handed me and my

17:24

time's colleague David Singer a 74-page

17:27

report detailing the group's official military

17:29

designation, their tactics, techniques,

17:31

victimology, its members who

17:33

had names like Ugly Gorilla,

17:36

and critically its whereabouts. We

17:38

sent our Shanghai Bureau Chief

17:40

David Barbosa to investigate, and

17:42

sure enough, next to restaurants,

17:44

massage parlors, and a wine

17:47

importer. He found a 12-story,

17:49

nondescript white building surrounded by

17:51

Chinese soldiers. We were trying to

17:53

figure out, like, okay, this is coming

17:55

from a location in Shanghai, right? They

17:57

had the address, right, but they won.

18:00

me to go buy the building

18:02

and see what this was. About

18:04

a 30-minute cab ride from my

18:07

home to think that, wow, they

18:09

were actually not that far. And

18:11

so I went out there and

18:14

saw this white tower and clearly

18:16

saw that it was manned by

18:18

military personnel at the front. I

18:21

think I saw the big dishes

18:23

on the top of it that

18:25

the windows were... covered or not

18:28

clear. It seemed like a military

18:30

installation, but one with a lot

18:32

of antenna power and other things.

18:35

So we were like, okay, this

18:37

is a high-powered building with military

18:39

personnel and special stuff. I don't

18:42

know if it's really the hack

18:44

is coming from here, but this

18:46

seems to fit every expectation that

18:49

we have from what I've been

18:51

told by you and Mandian. Once

18:56

we were sure we could corroborate

18:58

Mandian's report, we published everything we

19:01

had. I turned on CNN. This

19:03

building is the focus of a

19:05

report from U.S. cyber security firm

19:08

Mandient. They say a hacking collective

19:10

with direct ties to the Chinese

19:12

military has stolen data from 141

19:15

organizations from around the world since

19:17

2006 a CNN crew. Crew tried

19:19

to roll their cameras through that

19:22

neighborhood. And this is what they

19:24

discovered. This is our crew being

19:26

chased by Chinese security officers. Chase

19:29

off to us just yet. I'm

19:33

sorry. You got this. Keep driving.

19:35

Drive away. Drive away. Drive away.

19:37

Drive away. Drive away. Not strong.

19:40

CNN's David McKenzie is like for

19:42

us in Shanghai with more. But

19:44

the bigger picture here, Solidad, really,

19:46

is what is happening here? The

19:49

Mandia group says that this group

19:51

is working in conjunction with the

19:53

Chinese military and the Chinese government.

19:55

Chinese government, not surprisingly, Solidad says...

19:58

is that they have nothing to

20:00

do with this. They call these

20:02

claims, quote, irresponsible. What you're saying

20:04

is that what many people saw

20:07

as a shadowy Chinese group is

20:09

actually part of the People's Liberation

20:11

Army. Well, I would think it

20:13

is, and it's taking direction from

20:16

the PLA. And that's why we've

20:18

released this report, is there's all

20:20

this public disclosure now that it's

20:22

China behind lots of these intrusions.

20:25

Even Kevin Mandia was shocked to

20:27

see its impact. I just went

20:29

into the office by myself and

20:32

right around 730 in the morning,

20:34

my wife at the time called,

20:36

and literally, this is how I

20:38

knew we were on the news.

20:41

I didn't know CNN was filming

20:43

outside the building, Nicole. The exact

20:45

words from my wife at the

20:47

time was, what in the F

20:50

did you do? And I said,

20:52

what are you talking about? She's

20:54

like, turn on the TV, your

20:56

name is on every station. And

20:59

I'd never told her we were

21:01

writing the report. I never really

21:03

thought to, you know, or anyone

21:05

for that matter. We didn't even

21:08

tell all the mandian board about

21:10

it till maybe one day prior,

21:12

hey, we're going live tomorrow with

21:14

a report that pimps China's PLA

21:17

unit 6-1-3-9, to 141 intrusions, primarily

21:19

to US companies. I just didn't

21:21

think it was going to be

21:23

news. It empowered the U.S. government

21:26

to go after the PLA unit.

21:28

Meet John Carlin, who worked at

21:30

the Justice Department under the Obama

21:32

administration. I was the assistant attorney

21:35

general for national security. Prior to

21:37

that, and during his first term,

21:39

I was the chief of staff

21:41

to the director of the FBI,

21:44

and then in between, I was

21:46

the principal deputy assistant attorney general

21:48

for national security. While I was

21:50

busy writing about Chinese cyber attacks,

21:53

it was Carlin's job to figure

21:55

out what to do about it.

21:57

Part of the challenge was that

21:59

until we outed our own hack

22:02

and the PLA unit responsible. Most

22:04

everything the U.S. government had on

22:06

Chinese hackers was classified. I went

22:08

to a facility, an unnamed facility

22:11

out in Virginia, and there was

22:13

a giant jumpotron screen, like a

22:15

movie theater, and I could watch

22:17

in real time as nation-state actors,

22:20

China in particular, hopped into places

22:22

like universities, used the fact that

22:24

they'd penetrated the university to hop

22:27

into places like private corporations, and

22:29

then to steal. economic information often,

22:31

intellectual property, commit economic espionage. It

22:33

was amazing to see that being

22:36

tracked in real time, and it

22:38

felt like an incredible intelligence success,

22:40

but it did not feel like

22:42

actual success to watch that much

22:45

information, things of value to the

22:47

American public, flow from the United

22:49

States to China. But John's team

22:51

can just call out the Chinese

22:54

Communist Party by name. It was

22:56

literally classified. We weren't allowed to

22:58

publicly say as a government official

23:00

for years what everybody knew, which

23:03

was that China was hacking these

23:05

private companies. One year after we

23:07

outed the PLA Unit 61398, John's

23:09

team was clear to prosecute. A

23:12

grand jury in Pennsylvania indicted five

23:14

of the unit's members and named

23:16

their victims. Among them, Solar World.

23:18

U.S. steel, which struggled in recent

23:21

years to compete against low-priced subsidized

23:23

steel from China, Westinghouse Electricco, the

23:25

world's biggest supplier of nuclear reactors,

23:27

Allegheny Technologies, Alcoa, and the United

23:30

Steel Workers Union. Clearly, Unit 6138

23:32

was passed with hitting these private

23:34

sector. targets in a way that

23:36

others may not be. They were

23:38

sloppy in their tradecraft, they were

23:41

noisy, they had great nicknames like

23:43

Ugly Gorilla that could be used,

23:45

so it really was a rich

23:47

trove of evidence, but also the

23:50

fact that private sector groups like

23:52

Kevin Mandia's group, and had the

23:54

information and were making it publicly

23:56

available meant to those who were

23:58

worried about sources, methods, etc. This

24:01

wasn't information that was uniquely the

24:03

province of the government, so we

24:05

really weren't giving anything up by

24:07

being allowed to use it in

24:10

a criminal case. Our reporting from

24:12

the times combined with Mandian's APT1

24:14

report meant Carlin's hands were untied.

24:16

In his mind, the prosecution hadn't

24:19

come a moment too soon. It

24:21

was about more than justice for

24:23

the victimized American companies. This was

24:25

about establishing global norms of acceptable

24:27

behavior. The activity would spike. at

24:30

around nine in the morning Beijing

24:32

time. It would then stay high

24:34

and then apparently they took a

24:36

lunch break because it would decrease

24:39

slightly in the middle of the

24:41

day. Then they get back to

24:43

work, you'd see it spike again,

24:45

decrease overnight, decrease on weekends in

24:48

Chinese holidays. So as the prosecutor

24:50

in me, circumstantial evidence that this

24:52

group is coming from China, but

24:54

also it shows that The second

24:56

largest military in the world was

24:59

putting on their uniform, getting up

25:01

every morning, and then hacking you,

25:03

you know, hacking us, hacking private

25:05

companies, and that that simply couldn't

25:08

be allowed to stand. If you

25:10

let someone walk across your lawn

25:12

long enough in common law, and

25:14

international law is a law of

25:16

common law, they earn the legal

25:19

right to walk across your lawn.

25:21

It's called an easement. And that's

25:23

why people put up. no trespass

25:25

signs. As long as we were

25:28

allowing them to hack this noisily,

25:30

we were creating the international law,

25:32

the new norms, the new rules

25:34

for this cyber age that said

25:37

that this was okay. And so

25:39

we felt very strongly that we

25:41

need to show, no, this is

25:43

a crime like any other type

25:45

of theft, and if we don't

25:48

at least treat it that way

25:50

under our system, even if we

25:52

can't hold these individuals accountable, we're

25:54

never going to create the rules

25:57

for the world that we want

25:59

to. children to live in. When

26:01

I first had started covering Chinese

26:03

cyber attacks I'd always ask the

26:06

experts, well, who did it? What

26:08

they said in those early days

26:10

though surprised me. They'd say, Nicole,

26:12

attribution doesn't matter. I always read

26:14

that as, we don't want to

26:17

piss off China for business reasons.

26:19

That was partly true, but the

26:21

other truth was that we were

26:23

getting hit so hard. and so

26:26

often that the first priority wasn't

26:28

the who but the how to

26:30

make it stop. Somebody jumps out

26:32

of an alleyway and starts hitting

26:34

me in the face to rob

26:37

me. I don't block punches going,

26:39

who are you? I just defend

26:41

myself, you know? But in the

26:43

wake of our revelations at the

26:46

times, Mande and CPT1 report, John

26:48

Carlin's indictments, that began to shift.

26:50

However, I came to understand over

26:52

time. Attribution absolutely matters to hold

26:55

nations accountable. We need to have

26:57

rules of engagement in cyberspace. But

26:59

unit 61398 was just one group.

27:01

Inside the NSA, analysts were tracking

27:03

an entire Chinese hacking apparatus. Here's

27:06

Steve Stone again. I don't think

27:08

people understand just... how big this

27:10

machine is. They tend to think

27:12

about a group or an intrusion.

27:15

The intelligence community was tracking some

27:17

20 discrete Chinese hacking units. Roughly

27:19

half were PLA military or Navy

27:21

units dedicated either to specific industries

27:24

like microchips, semiconductors, satellite technology. or

27:26

specific geographies that were just assigned

27:28

to hack targets in Australia, for

27:30

instance. These were military personnel, clocking

27:32

in for their daily hacking to-do

27:35

list. By the time we showed

27:37

up, it was valid credentials, a

27:39

user ID and pass-rays, login, and

27:41

you could tell their operators who

27:44

used to just sitting out of

27:46

desk for eight hours a day.

27:48

and we're probably getting paid by

27:50

the pound, just take everything you

27:52

can, because I used to call

27:55

it the tank through the cornfield.

27:57

Everything started with what we now

27:59

know as the PLA or even

28:01

the PLA Air Force or PLA

28:04

Navy. So what we've learned was

28:06

these were very consistent groups. They

28:08

were big, they were good at

28:10

what they did, but they were

28:13

predictable, and they didn't evolve much.

28:15

So we really thought we had

28:17

our arms around these groups in

28:19

particular. But then there was the

28:21

other half of the groups the

28:24

NSA was watching. These were looser

28:26

satellite networks of contractors. They worked

28:28

at the behest of China's spy

28:30

agency, the Ministry of State Security,

28:33

but not necessarily in the building.

28:35

These were moonlighters tasked with episodic

28:37

state missions, privately employed engineers who

28:39

got paid by the state to

28:42

hack on the side. And unlike

28:44

the PLAs hackers who could be

28:46

quite sloppy, these soldiers of fortune

28:48

were good. They had legitimate skills.

28:50

They were known for their stealth.

28:53

Here's Paul Moser, who covered China's

28:55

expanding surveillance state for the New

28:57

York Times. Hacking and the burden

28:59

of hacking shifted under Xi Jinping

29:02

from the People's Liberation Army, the

29:04

Chinese military, the Ministry of State

29:06

Security or MSS. And what MSS

29:08

does is it takes a very

29:10

different approach. It basically says that

29:13

anybody who wants to start a

29:15

franchise who's good at this kind

29:17

of stuff can have a try.

29:19

And so what we see is

29:22

a sort of network of different

29:24

hackers for hire emerging across China.

29:26

And many of them have really

29:28

deep technological experience. and they want

29:31

to turn it to these sorts

29:33

of aims. And so effectively it's

29:35

a group of soldiers of fortune,

29:37

you know, hackers for hire, who

29:39

are turning at the government's behalf

29:42

onto the United States and trying

29:44

to break into any and everything

29:46

in any kind of new hack

29:48

they get goes up. the chain

29:51

and they're rewarded. Steve Stone watched

29:53

in real time as China's hacking

29:55

unit started handing off missions to

29:57

the experts. Here's Steve. As you

29:59

mentioned there's this really emerging moment

30:02

where we just recognized things were

30:04

different and at first we thought

30:06

maybe they're just these are other

30:08

military units we hadn't run across

30:11

yet and what we really started

30:13

to get an appreciation for was

30:15

there was really different skill levels,

30:17

and there was groups that were

30:20

really proficient in other things, and

30:22

you could almost begin tracking how

30:24

they would work together. We would

30:26

see APT1 struggle with an intrusion,

30:28

and they just could not figure

30:31

it out, figure it out, and

30:33

they just could not figure it

30:35

out, and then all of a

30:37

sudden APT would show up, blast

30:40

of the doors, get the intrusion

30:42

going, and then leave and hand

30:44

it back off to APT1. And

30:46

so we were really trying to

30:49

understand how all these groups were,

30:51

Those people, the actual people behind

30:53

them, started as young people, they

30:55

knew each other and they formed

30:57

hacking groups, they went to university

31:00

and they studied together and then

31:02

they ended forming actual companies and

31:04

then they also did this hacking

31:06

on behalf of the Chinese government

31:09

for profit. They were so much

31:11

more capable because they just stayed

31:13

on keyboard and they didn't age

31:15

out. and then teaching, literally teaching,

31:17

like actually teaching in classrooms and

31:20

also these hacking groups, the next

31:22

generation. And we would actually start

31:24

to see the ecosystem and the

31:26

groups evolve. And that's how we

31:29

really got to understand where we're

31:31

at today, which is this ecosystem

31:33

of private contractors and private groups.

31:35

If you were in a military

31:38

unit, you got promoted to a

31:40

point and now you're off and

31:42

now the next person comes in

31:44

and it's a machine. This

31:49

is what U.S. intelligence came to

31:51

understand. There were two pulls of

31:53

Chinese hackers, the day-jobbers, military enlisted

31:56

personnel, and the guns. slingers. Imagine

31:58

if Stanford's top computer science professors

32:01

and Silicon Valley engineers hacked for

32:03

the NSA on their off hours

32:05

as a side hustle or because

32:08

they had no choice. This allowed

32:10

China to tap its best and

32:12

brightest for its sensitive missions and

32:15

it also gave the CCP plausible

32:17

deniability. Should they get caught the

32:20

CCP could always say it's not

32:22

us. It's these hackers, we can't

32:24

even control ourselves. In the US

32:27

intelligence community, you have to be

32:29

an employee of the government to

32:32

be authorized to do these operations

32:34

to effectively break the law, right?

32:36

Because we have effectively the CFAA

32:39

Computer Front and Abuse Act that

32:41

prohibits everyone from hacking, with the

32:44

exceptions of law enforcement intelligence community.

32:46

But to use those exceptions, you

32:48

have to be a member. On

32:51

the Chinese side, they would just

32:53

say, hey, we have these requirements

32:55

company XY&Z. go get them for

32:58

us. And then what was happening,

33:00

it was really interesting, is that

33:03

a lot of these companies decided

33:05

to start moon lighting. If the

33:07

Chinese Communist Party comes to you

33:10

and tells you to do something,

33:12

even if it's not in your

33:15

business interest to do it, you

33:17

have to do it. Because then

33:19

they have numerous levers of coercion

33:22

that they can use to effectively

33:24

put you out of business. I'd

33:26

later learn from the Snowden leaks

33:29

that China actually ran some of

33:31

its cyber attacks through popular Chinese

33:34

tech companies like 163.com, China's version

33:36

of Yahoo, and SINA, the company

33:38

that runs China's Twitter equivalent, Sino

33:41

Weibo. At one point, the GQ,

33:43

which is essentially the UK's NSA

33:46

equivalent. discovered that 163.com's mail servers

33:48

were secretly operated by a Chinese

33:50

government domain and that that same

33:53

Chinese government domain served as a

33:55

backup server for Sino Weibo. In

33:58

practical terms, that means that the

34:00

Chinese government had direct access to

34:02

any and all traffic, including private

34:05

messages run through SINA or 163.com.

34:07

This would be like discovering that

34:09

Facebook or Twitter's back-end infrastructure

34:12

was actually run by the

34:14

NSA. When you hear that, you

34:16

start to understand why there

34:18

might be some national security

34:21

concerns about TikTok. Increasingly

34:23

private security firms and US intelligence

34:25

agencies would catch China's best state

34:28

hackers using their golden access to

34:30

line their own wallets. Here's Dimitri

34:32

El Paravich again. As long as

34:34

we're hacking companies, well why don't

34:36

we do it for our benefit

34:38

too? And we started to see

34:40

actors that would hack into gaming

34:42

companies and steal virtual currency and

34:44

just monetize it. And at the

34:46

same time, there were hacking into

34:48

national security targets. of US government

34:50

or private sector companies is still

34:52

an IP theft, clearly for the

34:55

strategic interests of the state. And it

34:57

was really interesting how you have on one

34:59

hand an actor that was engaged in

35:01

personal cyber crime, and on the other hand

35:03

is executing mission requirements for the state. If

35:06

you did that in the US, you

35:08

would get arrested. And the thing is these

35:10

guys, on the one hand, they're sort of...

35:12

hacking these big national targets, but they're

35:14

also then doing other things to extract money

35:17

and make money while they're doing it.

35:19

You can make a lot of money if

35:21

you can hack without any kind of consequences

35:23

whatsoever. You have the state's backing, and

35:25

you can also just kind of, you know,

35:27

say hold data for ransom or, you know,

35:30

take certain bank accounts or crypto or whatever.

35:32

And so... these guys become this almost mercenary

35:34

army, the sort of hackers fire soldiers of

35:36

fortune and it's fascinating because it's a complete

35:38

change from the way the top down way

35:41

things were before and it's revolutionized both the

35:43

way China hacks and also the effectiveness because

35:45

they're just much better. It's much better. It's

35:47

much better when you have a startup kind

35:49

of mindset towards hacking anywhere and and China

35:51

has certainly a very capable set of people

35:54

to do it. So give them the freedom,

35:56

give them the resources and lo and behold seven

35:58

or eight years on you have a really deadly

36:00

powerful attack hacking force in China.

36:02

That was Paul Moser. One thing

36:04

to know about China's hacking pipeline

36:07

is that it's robust, and it

36:09

starts early. The best analogy is

36:11

probably American football. Talents identified young,

36:13

recruited to the best college programs,

36:15

and eventually drafted to the NFL.

36:17

they actually recruit in very interesting

36:19

ways. They'll have hacking competitions among

36:21

students. Oftentimes they're embedded in the

36:23

university. So a professor of, you

36:25

know, cybersecurity at a university might

36:28

hold hacking competitions and then the

36:30

best student will be recruited into

36:32

these new MSS efforts. It may

36:34

be that people who are, you

36:36

know, really capable programmers at a

36:38

big tech company like a sort

36:40

of large Chinese internet giant might

36:42

be pulled out and told actually,

36:44

you know, hey, you have a

36:47

future at this. How much of

36:49

this is worse labor labor? I'm

36:51

not sure we totally know. I

36:53

think it's a mix of both.

36:55

I do think they tend to

36:57

look for people who are patriotic

36:59

or at certain universities that are

37:01

linked more closely to the, to

37:03

the, you know. the government and

37:06

its efforts, but for the most

37:08

part, usually I think there has

37:10

to be some level of interest.

37:12

I don't think they're kind of

37:14

holding great tech minds and saying

37:16

you have to do this. Oftentimes

37:18

I think there's an approach and

37:20

people are kind of interested because

37:22

there's a financial reward and there's

37:24

a, you know, again, a power

37:27

reward. Like if you're working at

37:29

that level with the government, you

37:31

get privileges. You know, hacking is

37:33

not a bad thing in China.

37:35

It's companies. Like, why wouldn't you

37:37

do this? You're the silly ones

37:39

for not. You're identified early and

37:41

you perform and you get into

37:43

these tracks. And those tracks matter

37:46

for military service. They matter for

37:48

private business. They matter for hacking.

37:50

They're really smart people that hack

37:52

and then they're really smart people

37:54

that run tech companies or do

37:56

tech projects. They're probably the same

37:58

people because they're on the same

38:00

tracks. And they're being largely. influenced

38:02

by the same government apparatus in

38:04

all of these aspects. We don't

38:07

really have parallels for that. Imagine...

38:09

Imagine if you were writing a

38:11

story where you found out that

38:13

the head of this unicorn in

38:15

San Francisco was actually also a

38:17

hacker for the NSA. Like that

38:19

would be front page on every

38:21

paper in the world. That's kind

38:23

of what happens over in China

38:26

with these private groups. As the

38:28

US started naming and shaming China's

38:30

hackers, they went underground. After our

38:32

APT1 revelations, the PLA unit unplugged

38:34

their entire hacking apparatus and fell

38:36

off the map. Other Chinese APTs

38:38

started moving their operations from Chinese

38:40

servers to servers here in the

38:42

US, the welding shops, Sadleries, even

38:45

home routers, precisely where the NSA

38:47

couldn't look. But of course, even

38:49

then, the hacking didn't stop. Not

38:51

by a long shot. The target

38:53

list... only expanded. There were allowed

38:55

calls for the firing of the

38:57

top administrator at the Office of

38:59

Personnel Management. After it was revealed,

39:01

the hack of government computers is

39:03

five times worse than previously reported.

39:06

We've got breaking news coming in

39:08

right now on the hack of

39:10

the government's Office of Personnel Management

39:12

in the last hour and a

39:14

half, OPM announced that as many

39:16

as 25 million people may be

39:18

affected by the breach. Americans' personal

39:20

data was now in the crosshairs.

39:22

So that old calculus... There was

39:25

always the sense of, look, it's

39:27

a trade. We know they steal

39:29

from us, but we get a

39:31

lot of money out of China,

39:33

so right now the trade works

39:35

in our favor. It no longer

39:37

applied. I raised once again our

39:39

very serious concerns about growing cyber

39:41

threats to American companies and American

39:43

citizens. I indicated that it has

39:46

to stop. That's next, on to

39:48

catch a thief. To

39:50

catch a thief is produced by Rubric

39:52

in partnership with pod people with special

39:55

thanks to Julia Lee It was written

39:57

and produced by me Nicole Perleroth and

39:59

Rebecca Shaw on. Additional

40:01

thanks to Hannah Peterson,

40:03

Sam the Bower, and Machado. Editing

40:05

Editing and design Morgan

40:07

Fuse and Carter Wogan.