Return to Winter: Russia, China, and the New Cold War Against America (18 page)

The Chinese often perpetrate these thefts by using malware. They bombard U.S. companies and government agencies with these devices in an attempt to obtain industrial, military, or private-sector trade secrets. The attacks don’t have to be large-scale to be effective. “My greatest fear is that, rather than having a cyber–Pearl Harbor event, we will instead have this death of a thousand cuts,” Clarke says. “Where we lose our competitiveness by having all of our research and development stolen by the Chinese.”
⁶⁵

In 2009, as Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company—a $2.4 billion acquisition of Huiyuan Juice Group—Comment Crew broke into Coke’s servers looking for information on the company’s negotiating plans, sending company files back to Shanghai weekly.
⁶⁶
Chinese regulators ended up barring the deal on antitrust grounds; what role the extensive hacking played in this decision is unknown. A few years
later, Comment Crew penetrated RSA Security’s systems, forcing the security company—manufacturer of the well-known SecurID tokens—to replace the tokens for its clients and augment its security products with new layers of protection.
⁶⁷

“The disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States at a distinct disadvantage,” says Eric Schmidt, Google’s CEO. “The United States will not take the same path of digital corporate espionage, as its laws are much stricter (and better enforced) and because illicit competition violates the American sense of fair play.”
⁶⁸
Schmidt also calls China the world’s “most sophisticated and prolific hacker.”

Schmidt knows this subject well; his company was famously hacked by China in 2010. Those attacks were part of a broader corporate-espionage attack that targeted at least 34 other companies—including Yahoo, Symantec, and Adobe in the technology sector, and, in the industrial and defense sectors, Northrop Grumman and Dow Chemical. The attacks seemed to be focused on sectors in which China was lagging competitively or on firms that supplied critical materials or know-how to the U.S. defense industry.
⁶⁹

The 2010 cyber attacks set off a series of events that led Google to temporarily end its agreement with the Chinese government to censor certain search results, and the company physically moved its servers out of the country.
⁷⁰
China also attacked Google accounts as a proxy for getting U.S. government information in 2011, when it hacked into hundreds of Gmail accounts, including those of some senior U.S. government officials. Google confirmed that the attacks originated from China.
⁷¹

The Chinese have also used cyber warfare to target human-rights activists. The 2010 Google attacks included breaches of Gmail accounts belonging to two activists.
⁷²
The Chinese have gone after political
critics, including, in the U.S., Frank Wolf, a Republican House member and vocal lawmaker on Chinese human-rights issues. Wolf reported in 2006 that his office computers had been compromised and that similar attacks had compromised the systems of several other representatives and the office of the House Foreign Affairs Committee.
⁷³
Wolf suspected the Chinese.

RUSSIA: STATE ATTACKS AND CYBER CRIME

A small country that had only recently won independence from Russian domination, Estonia had reason to be proud and optimistic in 2007. Not only had it secured its long-sought autonomy, but it also had one of the most wired economies in the world, in proportion to its size. In fact, some had started calling the place E-stonia. But that was before citizens got together and decided to remove the Bronze Soldier.

The military monument, a Soviet-era relic that commemorated the battle against the Nazis, served as a symbol of pride for the Russians. Estonians, however, saw it mainly as a boast of bygone Soviet glory, and they wanted it gone. After some interethnic disagreements, the government took it away.

The next day, sleeping viruses infecting thousands of computers came alive and began to ping messages to Estonian websites—signaling “denial of service” attacks, shutting down servers for hours at a time. Meanwhile, in Russia, the government accused Estonians of dishonoring the memory of Soviets who had fought against the Nazis, and Russia called for a boycott of Estonian goods. Angry Muscovites staged rowdy street protests and even went after the Estonian ambassador. The attacks continued for weeks and so flooded Estonia’s digital traffic system that the country’s crucial servers—which ran banks, telephone systems, road-traffic networks, and the like—began to overload and freeze up. Russia also suspended rail service.
⁷⁴
Estonia had effectively
ground to a halt—the first country to fall victim to a virtual war—and the Estonians had to call in NATO experts for help.
⁷⁵

“If you have a missile attack against, let’s say, an airport, it is an act of war,” said Madis Mikko, a spokesman for the Estonian Defense Ministry. “If the same result is caused by computers, then how else do you describe that kind of attack?”
⁷⁶
The digital traffic was traced back through various layers of proxy-infected computers to originating programs in Russia. The Russians denied wrongdoing and refused requests to pursue an investigation of what had happened.

A year later, Russia invaded Georgia under the pretext of protecting the separatist zone of South Ossetia from attack by Georgian troops. As Russian tanks rolled in, a massive cyber attack on Georgia’s Internet communications also got under way. Hackers effectively took over Georgia’s strategic entry-exit routes of digital communication to other countries and used them to control government websites so that the president’s own Web page became a Russian “zombie.” Georgia’s banking sector—its ATM, credit card, and money-transfer systems—shut down, as did its cellphone networks. Georgians could not get emails out of the country and could not log on to any foreign news sites, such as CNN or the BBC, to get information on what was happening. American experts saw clear evidence of the work of a St. Petersburg–based criminal gang known as the Russian Business Network, or R.B.N. Some of the attacks on Georgian systems were launched from computers the R.B.N. was known to control.
⁷⁷
R.B.N.’s coordination with the Russian government has never been determined.

Whatever the Georgian authorities tried, including blocking incoming data from Russian servers, their antagonists proved to be a step ahead. Servers and routers from other countries unwittingly aided the attack, having fallen prey to pre-planted viruses. So complete, coordinated, and adaptable was the campaign that it could only have
been a thoroughly thought-out war plan. But again, Moscow officials denied state involvement.

Meanwhile, a full-scale kinetic war unfolded on two fronts across Georgia’s borders, with Russian Sukhoi fighter-bombers buzzing the skies over the presidential residence in the capital, Tbilisi, while bombing targeted areas along the Abkhazian and South Ossetian breakaway zones and overrunning sizable slices of Georgian territory. Overcommitted in Iraq and Afghanistan, the U.S. could do little more than send Secretary of State Condoleezza Rice to Tbilisi as a gesture of solidarity.

Cyber war is only partly about getting intelligence. It can also be a weapon of war, pure and simple—as Russia showed. Through this theatrical display of cyber muscle in Estonia and Georgia, Moscow demonstrated that its war-making ability no longer remained mired in the post-Soviet doldrums. Moscow sent a message to the world that the Russians had full mastery of new-millennium, high-tech, next-generation capability. If just a fraction of their cyber prowess could overwhelm their “near abroad” neighbors, they were also sending a warning to the U.S. directly. The Russians understood the rules of this new virtual battlefield, in which computers from all around the world could be commandeered to attack any chosen country. They understood, and they wanted the U.S. to know that they could conduct such operations with impunity.

The Internet, after all, by design grew as an open-ended structure. Only those countries consciously intending to control the flow of information, such as China, have tried deliberately to structure their alternate versions of the Web so as to create built-in choke points and control mechanisms. The U.S. and the West as a whole have no such defensive forethought woven into the architecture of their Internet. Ironically, the least wired of countries, such as North Korea, thus derive a huge cyber-war advantage from the openness of the West.

Along with the message Russia was sending about its cyber capabilities, one might also detect a subtler cultural one: See, they seemed to be saying to the Americans, you wanted this big, wide-open technology that would mirror your big, wide-open society and culture, but in the end, it leaves you defenseless. Your ideals may appear noble in the abstract, but they cannot weather hard reality and they merely lure your friends to disaster. Moscow showed how it could use the West’s “open” cyberspace system to subvert democracy and reassert autocratic control.

The skeptical reader might at this point protest that America’s capacity to defend itself must be vastly superior to that of the small countries that Moscow bullied. The avenues of communication in and out of and across the continental United States via satellites, undersea cables, fiber-optic systems, and routers must add up to many multiples of the comparable digital avenues in Estonia or Georgia. How much of the complex networks that crisscross the U.S. can be targeted in one concerted attack? If nuclear first strikes cannot hope to take out enough of America’s infrastructure to prevent a devastating counterstrike, how could the cyber equivalent do so?

Such a question doesn’t come to grips with the real-world scale of Internet connectivity and the rapidity with which computers communicate. The meticulous planning over weeks, months, and years that it takes to put viruses into geographical swaths of computers—viruses that can go undetected for long periods—suggests that an operation of this kind
can
succeed on a massive scale. We dismiss Moscow’s successes in 2007 and 2008 at our peril.

Yet attacks on small countries in the Russian “near abroad” are not the end of the story. Though definitive proof is lacking, compelling evidence links Moscow with powerful cyber-espionage rings that have sprung up in recent years to sabotage business communications, steal financial data, and gain access to government and diplomatic information. The Target attack during the 2013 holiday season is currently the
most notorious example, but there have been others, affecting both the private sector and government.

Or consider the long-running operation known as Red October, one of the most formidable online espionage operations ever mounted. Red October stole government and diplomatic secrets, as well as science research, from many countries from 2007 to 2012. Targets were mainly countries in Eastern Europe, Central Asia, and former USSR republics—but also countries in Western Europe and North America, including the U.S.
⁷⁸
The operation became known when researchers discovered malware implanted not only on PCs and servers but also on mobile devices.
⁷⁹
The puzzling thing, however, was that the network was discovered by a Russian IT-security firm, Kaspersky Labs. Kaspersky found Russian-language words in the software code and concluded that the attackers themselves were Russian, though they used some Chinese-made software.

Kaspersky researchers played victim to the attacks, in order to understand the operation better. They learned a lot, primarily that all of the attacks were launched through spear-phishing emails. When a recipient clicked on them, the malware, which Kaspersky Lab dubbed Sputnik, would be attached onto his computer. The hackers had created more than 1,000 modules and tools that could be downloaded through the “Sputnik” system.
⁸⁰

The key question about Red October is: Who was behind it? That question remains unanswered, and to be fair to Moscow, it might be someone else. Analysts have suggested multiple possibilities, some arguing that the attacks came from somewhere in the EU; others believe that they are the work of a private cyber-criminal network. But other signs—especially Russian language in the code—point to Moscow as the culprit.

“To be able to function and get the information that they’ve supposedly got, you have to be able to operate in an environment immune
from imminent prosecution,” said Laura Galante of Mandiant. “For something that goes after this type of information, that’s a five-year-long operation, it’s really suspicious that a completely private group of entrepreneurial hackers would have the funding to do that and have the same kind of attention to go on that long.”
⁸¹

Also daunting is Project Blitzkrieg, an audacious cyber-bank heist. Project Blitzkrieg came to public attention in late 2012, when the Internet security firm McAfee Labs warned about massive malware installations lying dormant in the computer systems of 30 of America’s biggest banks and financial-services firms—including Fidelity, Wachovia, Citibank, ETrade, PayPal, Charles Schwab, Wells Fargo, and Capital One. Project Blitzkrieg was uncovered when another security firm, RSA, was monitoring a Russian chat room run by a hacker known as vorVzakone (“thief in law”). He was trying to recruit hackers to break into online bank accounts as part of a broader criminal scheme. During the chat, vorVzakone posted screenshots of his malware along with descriptions of his plan to recruit “botmasters” to wield “botnets”—a collection of Internet-connected programs—to attack the banks and authenticate wire transfers of millions of dollars.

“The goal—together, en-masse and simultaneously process large amount of the given material before antifraud measures are increased,” vorVzakone wrote during the chat. The elaborate chat-room setup was first seen as a Russian sting operation to catch the hackers, but it later became clear that Project Blitzkrieg was a real criminal operation.
⁸²