John Carlin
Appearances
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
I was the assistant attorney general for national security. Prior to that and during his first term, I was the chief of staff to the director of the FBI. And then in between, I was the principal deputy assistant attorney general for national security.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
I went to a facility, an unnamed facility out in Virginia, and there was a giant Jumbotron screen, like a movie theater, and I could watch in real time as nation state actors, China in particular, hopped into places like universities,
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
used the fact that they penetrated the university to hop into places like private corporations and then to steal economic information off intellectual property, commit economic espionage. And it was amazing to see that being tracked in real time.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
And it felt like an incredible intelligence success, but it did not feel like actual success to watch that much information, things of value to the American public flow from the United States to China.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
It was literally classified. We weren't allowed to publicly say as a government official for years what everybody knew, which was that China was hacking these private companies.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
Clearly Unit 61398 was tasked with hitting these private sector targets in a way that others may not be. They were sloppy in their tradecraft. They were noisy. They had great nicknames like Ugly Gorilla that could be used. So it really was a rich trove of evidence.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
But also the fact that private sector groups like Kevin Mandia's group, Mandiant, had the information and were making it publicly available meant, To those who were worried about sources, methods, etc., this wasn't information that was uniquely the province of the government, so we really weren't giving anything up by being allowed to use it in a criminal case.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
The activity would spike at around nine in the morning Beijing time. It would then stay high. And then apparently they took a lunch break because it would decrease slightly in the middle of the day. Then they get back to work. You'd see it spike again, decrease overnight, decrease on weekends and Chinese holidays.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
So as the prosecutor in me, circumstantial evidence that this group is coming from China, but also It shows that the second largest military in the world was putting on their uniform, getting up every morning and then hacking you, you know, hacking us, hacking private companies. And that that simply couldn't be allowed to stand.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
If you let someone walk across your lawn long enough in common law and international law is a law of common law. They earn the legal right to walk across your lawn. It's called an easement. And that's why people put up no trespass signs.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
As long as we were allowing them to hack this noisily, we were creating the international law, the new norms, the new rules for this cyber age that said that this was OK. And so we felt very strongly that we need to show, no, this is a crime like any other type of theft. And if we don't at least treat it that way,
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
Under our system, even if we can't hold these individuals accountable, we're never going to create the rules for the world that we want our children to live in.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
One, it was sort of a direct path to the crown jewels for a lot of organizations. So if they use this, right, they don't necessarily have to make their way through the network and do a lot of other activity because they can go straight in to where you are, you know, storing a lot of your intellectual property and intelligence related information, right?
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
Or this stuff, it was sort of like a beeline to the heart of the problem. But the other thing that was interesting is that there was a patch issued and what we saw was a sudden global spray of the zero day across many, many targets, as many targets as they could get their hands on.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
And they were essentially leaving a backdoor, like a foothold in these systems so that they could revisit when they had enough time. And that was one of the most reckless and globally significant attacks I've ever seen because you essentially left a door open on millions of systems.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
The other interesting thing about that zero day is from a criminal perspective, it had tremendous criminal viability because you can leverage access to the exchange servers to deploy ransomware. You can just steal a bunch of valuable stuff and extort people for that. Right. So again, you have like you've got a beeline to highly valuable information that you can monetize.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
And so this was a sudden crisis, not just from the original users, but any potential follow on users. And we had to essentially make sure that people were moving really quickly on patching and raise that alarm. I've never even seen like the alarm raised like that in any other situation. I can't think of.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
They are now far more focused on their operational security, laying low, making it much more harder for us to attribute them.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
My daughter's first real piece of mail addressed to her. She was actually a baby, was old enough though to see it and be excited her name was on the envelope, was saying that her identity had been stolen in that hack along with the rest of our family. That, I think, was of such a scope and scale at that time.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
along and came shortly on the heels of the pla indictment where we were talking about it publicly and where they were noisily denying that they ever did did such things that i think that helped as well to bring china to the table but also to convince our own uh folks in government that that something had to be done and at that moment obama said um i've had it
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
I was surprised that we reached the norm, and I was even more surprised when we actually saw a decrease in hacks that looked like they were occurring in that space.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
We could go to people in the private sector and say, to your point, what was so evidently clear, which is that when you're up against the second largest military in the world, it's not a fault of the New York Times, however big, 10-person IT team, that they can't keep them out of a system. That's a fight that traditionally has been nation to nation. We don't leave every company up against...
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
major nation state rivals. It was such a unique space that we were allowing that to happen in cyber.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
We lose half the IOCs to this battle, right? We lose all the network-related IOCs, particularly in relation to vault typhoon activity. They're living off the land.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
they're coming out of SOHO routers. So your home office, your small office router, they are literally going out. A lot of them have vulnerabilities.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
They go out, they capture these routers, and they build them into a botnet.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
What they're doing is instead of traversing through systems that they have to buy and set up, they're traversing through these stolen, compromised systems. And that means instead of coming from China, they can look like they're coming right from down the street.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
Same idea, just imagine that scaled up. So instead of just coming through that one or a handful of those compromised systems, imagine just going out and getting hundreds of them.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
There's just a ton of operations where they're setting this stuff up and different teams are sharing it. It makes it really hard to tell what's what and figure out what you're looking at. But it's the same exact idea. This compromise system is a great way to sort of hide your tracks. And unfortunately, this sort of router-focused game is a really good way to do that.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
They can pick a router that's right next to you and looks completely natural for your network. And the great thing about also is that tomorrow they can burn it and go to a new one. And so from my perspective, someone who tries to track this stuff, it makes it really hard.