TITAN RAIN: How Chinese Cybercriminals Infiltrated The United States Cyberspace

00:14

Cyberespionage: A form of cyberattack that  involves spying and theft of sensitive data or  

00:20

information. The kind of information that's kept  from being publicized is it can pose a serious  

00:25

threat to the victim. In this case, nations are  often victims of other nations -planning to steal  

00:31

information in the hopes of gaining intelligence  that can be used against their targets.  

00:38

Before cyber attacks were a method of extracting  information, spies used to physically go on  

00:42

dangerous missions into enemy territory,  and were usually taken advantage of during  

00:47

large-scale wars. An Infamous case of espionage  is the Rosenberg Case that took place during the  

00:53

Cold War, when Julius and Ethel Rosenberg  - American citizens, were caught spying on  

00:58

behalf of the Soviet Union. The existence of the  internet and utilizing it as a method of entry  

01:04

into the digital space of other countries has  since replaced such attempts at infiltration,  

01:08

and generally this is considered safer than  sending in spies physically - who, if caught,  

01:14

may be interrogated and extracted information  out of. "Plausible Deniability" and thereby  

01:19

avoiding retaliation is by far one of the greatest  advantages of using such a method - provided, it's  

01:24

not carried out in a sloppy manner. But, here's  the thing - cyberespionage generally isn't sloppy,  

01:31

because these are carefully selected, trained  cyber criminals - financially backed by their  

01:36

governments, and know exactly how to fly under the  radar. Large nations, such as the United States,  

01:42

Russia, China and North Korea are commonly accused  and targeted in cases of cyberespionage. Mainly,  

01:49

because these nations consider each other  major threats in warfare and/or cyberwarfare.  

01:55

Between the years 2003-2006, the United  States government faced such an attack.  

02:01

One that "ranked amongst the most  pervasive cyberespionage threats that  

02:05

U.S computer networks had ever faced". The US  government codenamed this attack "Titan Rain".

02:22

"Internet vigilantism" is the name given to those  that enact justice on wrongdoers through the use  

02:27

of the internet - generally, without express  permission from the law. Kind of like Batman,  

02:32

but in the cyberspace instead. One such  internet vigilante in the early 2000s was  

02:37

"Shawn Carpenter", somewhat of the protagonist  in the story. a navy veteran who - at the time  

02:43

was a network security analyst at "Sandia National  Laboratories". A nuclear security administration  

02:49

R&D lab based in the U.S. His story began when  in 2003 "Lockheed Martin" - which was the parent  

02:55

company of Sandia Labs at the time, and a major  defense contractor of the U.S military - started  

03:01

to realize that they may have suffered a breach as  hundreds of their computers started to shut down  

03:05

by themselves. Sandia Labs then dispatched Shawn,  as well as a few colleagues of his to figure out  

03:10

what was happening. And so, they set off on a  flight out of Albuquerque, New Mexico - to a  

03:15

branch of Lockheed Martin in Orlando, Florida.  Before long, they discovered Rootkits planted  

03:20

in their computer systems. : "Rootkits" for  those unaware are softwares that are generally  

03:24

designed for malicious purposes, and allow  attackers to remotely control the target system,  

03:29

allowing them to spy and steal data. and to make  matters worse, these Rootkits actively attempt to  

03:35

hide themselves from detection, not just from  the user but even from antivirus softwares.  

03:40

The Rootkits hidden in the Lockheed Martin  systems evidently had amassed sensitive data.  

03:45

and as Shawn and his team had come to gather -  was ready to be sent out to a server in China.  

03:51

Nevertheless, this wasn't investigated at the  moment. Shawn and his team were congratulated on  

03:56

a job well done and flown back to New Mexico.  Back to Sandia Labs, at which point Shawn  

04:01

requested to "hack back" the Intruders, and find  out more about what they wanted. A request which,  

04:07

to Shawn's dismay, would be rejected by  his superiors. Citing a violation of the  

04:12

Computer Fraud and Abuse Act, and unwilling  to draw further attention from the attackers.  

04:16

Later on, in an interview with "Computerworld",  Sean stated that one of his supervisors would  

04:20

hear his case and say: "we don't care about any  of this, we only care about Sandia computers".  

04:26

Shawn was understandably crushed by this decision,  but that didn't discourage him from probing  

04:31

further. He began an independent investigation  into the intrusion at the comfort of his home,  

04:36

putting on his proverbial mask and investigating  the attackers. He did this by placing what's  

04:41

called a "Honeypot". Honeypots are essentially  bait, generally used defensively by organizations  

04:47

to study cyber criminals by luring them to  intentionally vulnerable systems. Shawn would  

04:53

create a honeypot filled with bogus sensitive data  and fabricated search histories to attract these  

04:58

Chinese cyber spies, and it worked. A little  after he had set up the Honeypot, the targets,  

05:03

those that match Shawn's profile of the attackers  took the bait. It was 10 long months of tracing  

05:09

the attackers, these were masters of their  craft and clearly wanted to avoid any risk  

05:14

of being traced back - using encryptions, and  VPNs and multiple hop points, but eventually,  

05:19

Sean traced them back to a server in "South  Korea". Brute forcing his way into the server,  

05:23

he discovered that it was loaded with sensitive,  stolen documents including blueprints from the  

05:28

"F-22 Raptor" and the "Mars Reconnaissance  Orbiter", both major projects belonging to a  

05:33

familiar name: "Lockheed Martin". Additionally,  when further investigated, they had files that  

05:37

belonged to the U.S Army. Aviation Mission  planning systems, and flight planning software.  

05:42

However, Sean would come to find that this South  Korean server was also nothing but a hop point,  

05:47

and the final destination of the network,  where it all led to, was in" Guangdong China.  

05:52

Shawn silently left a bug on the router, which  would ping his anonymous email account. He'd get  

05:57

a message each time a connection was made, and  in just two weeks, he had over 20,000 messages.

06:14

Now that he had finally found the  perpetrators, Shawn had a new problem,  

06:19

he was never authorized to do this. And he knew  that he was involved in doing something illegal,  

06:25

so where would he submit this information? The  files that he uncovered in the servers of the  

06:30

cybercriminals were clearly dangerous in the wrong  hands, but who could he inform them of without the  

06:36

risk of ending up in prison and losing his job? or  any future jobs in the field for that matter? but  

06:42

if he didn't inform anyone, there was the chance  of putting his nation at a great deal of risk.  

06:48

He eventually braved his fears and reached out  to some of his contacts in the army, who would  

06:52

then pass it on to the FBI , where an agent  named "David Raymond" would take the case.  

06:58

According to "The New Yorker", Raymond was  astounded by the findings and wasn't particularly  

07:03

troubled by how he had obtained them. This was  good news, and by October of 2004, Sean had begun  

07:09

working with the FBI as a confidential informant  to look further into the case. But only a few  

07:14

weeks later, he was told to stop digging till they  got more authorization, while in the next four  

07:19

months he provided an analysis of his previous  findings to the FBI. According to Raymond,  

07:24

Shawn's research reached the highest levels  of FBI counter-intelligence and was told that  

07:29

there were eight open cases throughout the United  States that his information was being provided to.  

07:34

During this time, Shawn was given assurances  that they were going to take care of him,  

07:38

and that he wouldn't be prosecuted. Even  going as far as to say that they had a  

07:43

letter from the Justice Department promising  not to charge Shawn with hacking. However,  

07:47

Shawn and his wife, Jennifer Jacobs, who was  working at Sandia Labs at the time as well,  

07:51

was understandably skeptical and worried  about the verbal agreement. And so,  

07:56

Shawn began to bug his house, recording  his interactions with the FBI. Turns out,  

08:01

his doubts were warranted. As in March of 2005,  the FBI would seize all communications with Shawn,  

08:07

and report their secret meetings to the Head of  Counter Intelligence at Sandia Labs: Bruce held,  

08:13

a retired CIA officer. Here's a disturbing excerpt  from the interview between Shawn and Computerworld  

08:18

that describes what happened next. "During my  last meeting with Sandia management, a semicircle  

08:23

of management was positioned in chairs around me,  and Bruce Held. Mr.Held arrived about five minutes  

08:28

late to the meeting and positioned his chair's  inches directly in front of mine. At one point,  

08:33

Mr Held yelled: 'you're lucky you have such  understanding management and if you worked for me,  

08:38

I would decapitate you, there would at  least be blood all over the office'.  

08:42

During the entire meeting, the other managers  just sat there and watched. At the conclusion  

08:47

of the meeting, Mr.Held said: 'your wife works  here doesn't she? I might need to talk to her'."  

08:53

Shawn was stripped of his Q security clearance and  fired from his job. Later, Shawn would even come to  

08:59

find that while he was helping the FBI investigate  the attackers, the FBI was investigating him

09:13

Shawn Carpenter would go on to sue Sandia  National Laboratories for defamation and wrongful  

09:18

termination, a lawsuit which he would go on to win  - with $4.3 million awarded to him, as well as an  

09:25

additional amount of almost $400,000 for costs  incurred. This was more than twice the amount  

09:31

that Shawn and his lawyer had asked for, andthe  jury seemed to unequivocally side with Shawn in  

09:36

this case, stating that he was a patriot and did  what he did to protect the national interest.  

09:41

Regardless of his courtroom victory,  Shawn knew that this was the end of  

09:45

his journey with "Titan Rain". Despite not  being entirely fulfilled with the result.  

09:51

I'm not sleeping well, I know the "Titan Rain"  group is out there working, now more than ever.  

09:57

He knew that the attack originated from China,  and maybe he knew more, but this was all that was  

10:02

revealed at the time. Later on, in August of 2005,  the U.S government attributed the 2004 attacks to  

10:08

the People's Liberation Army, Unit 61398. An armed  wing of the Chinese Communist Party. China's State  

10:16

Council information office would however tell time  that the accusations were "totally groundless,  

10:21

irresponsible, and unworthy of refute." It was  also revealed that no classified information was  

10:28

stolen in this espionage attempt, but that the  unclassified information can prove to be harmful  

10:33

by revealing the strengths and weaknesses of  the United States. This turned out to be a  

10:38

turning point for the level of sophistication that  Chinese cybercriminals were capable of showing.  

10:43

At the time, China wasn't a major consideration  or competitor when it came to cyber warfare  

10:49

and "Titan Rain" turned out to be the first  publicly Chinese state-sponsored cyberespionage  

10:53

event against the United States. Unit  61398, also classified under "APT-1",  

10:59

was called the Chinese equivalent of the American  NSA. According to a report by the "Mandiant",  

11:05

they had evidence that attributed hundreds of  terabytes worth of information stolen since 2006,  

11:10

from at least 141 organizations, of  which a 115 were from the United States.  

11:17

Now, I want to be very clear when I say that  : just because the "Titan Rain" incident was  

11:21

attributed to the PLA, there's really nothing that  we the public can use to confirm this attribution.  

11:27

In terms of whether it really did come from China,  or the US government simply made a mistake. As  

11:32

I said earlier, one of the greatest benefits  of cyberespionage is "plausible deniability",  

11:37

and no retaliation from the US government  was ever specifically tied to this incident.  

11:42

But, I would love to know what you guys think  in the comments below, as well as any ideas  

11:46

for the next story you'd like for me to cover.  Thanks for watching "The TWS Channel", Cheers.