The Rest Is Classified - 88. China vs Google: When Beijing Took on Silicon Valley (Ep 1)
Episode Date: October 5, 2025"Like many other well-known organisations, we face cyber attacks of varying degrees on a regular basis." This was the striking public statement from Google's chief legal officer in January 2010. What ...began as a major security incident - a "highly sophisticated and targeted attack on our corporate infrastructure, originating from China" and resulting in the theft of intellectual property - quickly escalated into a much larger geopolitical crisis. This episode is the origin story of state-sponsored cyber espionage. It's the moment Google was hacked by a foreign state, and for the first time, publicly pointed the finger at who they believed was responsible: China. The attack was a canary in the coal mine for the world of Chinese cyber attacks and espionage we know today. Join Gordon and David as they tell the story of how an act of cyber espionage descended into a debate about the complex equations between money and freedom of speech for Western companies operating in China. ------------------- Join The Declassified Club: Start your free trial at therestisclassified.com - go deeper into the world of espionage with exclusive Q&As, interviews with top intelligence insiders, quarterly livestreams, ad-free listening, early access to episodes and live show tickets, and weekly deep dives into original spy stories. Members also get curated reading lists, special book discounts, prize draws, and access to our private chat community. To sign up to the free newsletter, go to: https://mailchi.mp/goalhanger.com/tric-free-newsletter-sign-up ------------------- Order a signed edition of Gordon's latest book, The Spy in the Archive, via this link. Order a signed edition of David's latest book, The Seventh Floor, via this link. ------------------- Email: classified@goalhanger.com Twitter: @triclassified Social Producer: Emma Jackson Producer: Becki Hills Senior Producer: Dom Johnson Exec Producer: Tony Pastor Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
For exclusive interviews, bonus episodes, ad-free listening, early access to series,
first look at live show tickets, a weekly newsletter, and discounted books,
join the Declassified Club at the Rest is Classified.com.
Like many other well-known organizations, we face cyber attacks of varying degrees on a
regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our
corporate infrastructure originating from China that resulted in the theft of intellectual property
from Google. However, it soon became clear that what at first appeared to be solely a security
incident, albeit a significant one, was something quite different. We have taken the unusual
step of sharing information about these attacks with a broad audience, not just because of the
security and human rights implications of what we have unearthed, but also because this information
goes to the heart of a much bigger global debate about freedom of speech.
Well, welcome to the rest is classified.
I am David McCloskey.
And I'm Gordon Carrara.
And that was a statement, not by a spy, Gordon, or an intelligence officer, but by Google's
chief legal officer issued on the 12th of January 2010.
And that statement is about a hack, a cyber attack, conducted by China.
against Google. It's come to be known as Aurora. It's a story about cyber espionage that
sort of plays into a bigger battle about the world's biggest country and one of America's
biggest corporations. Yeah, that's right. I mean, the idea of states like China, North Korea,
Russia, hacking companies isn't such a big surprise these days, but in many ways this is the
origin story. This is where it all began, the idea of states versus companies.
it's also the first big cybersecurity story about a hack that I remember making the evening news
because it was a big deal because it escalated into the world of politics.
It was the first time a big company admitted it had been hacked and not just any company
but one everyone's heard of, Google.
And crucially, Google are going to point the finger at who they say was responsible for this hack.
So it's going to be the canary in the coal mine, really.
for the world of Chinese cyber attacks and cyber espionage that we hear so much about today.
Well, and it's also, I mean, because you have a corporation pointing a finger, as it were,
at the state responsible for the attack, it also, I think, is a story that gets pretty political pretty quickly.
I mean, this is a story that will feature characters like Secretary of State Hillary Clinton,
And Polibrio members in Beijing and the founders of Google itself in kind of this swirl of politics and cyber attacks and espionage that all jammed together.
It's also really hardcore for me to remember a time when it wasn't common to have state-sponsored cyber attacks.
And yet this is not actually that long ago.
We're talking about a 15-year span.
It's remarkable how far we've come since this kind of origin story of state-sponsored.
cyber espionage. Yeah, I think that's absolutely right. In a way, it's familiar, but also
from a slightly different era. I think it's because it is the dawn of that era. And it's about
cyber espionage against companies, but also, as we'll see, against dissidents. So there is
an element of this, which really is about, if you like, traditional spying. But it also gets into
issues of freedom of speech. How far do companies have values about freedom of speech? How far
are they going to fight for those? What are the kind of
complex equations between money and freedom of speech, which come up. And yeah, it gets to the big
geopolitical questions about technology in China and the West, and who runs, who owns the technology
which we all depend on, all big issues today. Maybe that's a good place to start, Gordon,
which is setting the scene with China and the internet, because those are going to be two massive
threads in this story. By 2010, the surveillance state that we now see in China,
was certainly on its way to being constructed, but was nowhere near sort of what it has become today.
Yeah, I think that's another thing we have to get into our heads. A slightly different China in 2010
and different way people thought about China. It wasn't yet the China of Xi Jinping and the kind
of confrontation of today. And so the relationship between China and the West and China and
the Internet is a bit different. I mean, when it comes to the Internet, first email from China
went over an academic network back in 1987. Across the Great War, we can
reach every corner of the world it announced. Sounds like something a spy service would send.
But I think it was meant as a kind of, in the days of the internet being an academic thing.
The internet was less evil back in the 80s, right? I mean, it was a more innocent time.
Definitely. But then, so that was 87, the first Chinese email. But two years later, you get Tiananmen Square.
And that is, of course, a moment when there are pro-democracy students in the center of Beijing,
calling for greater freedom in China, and they are going to get crushed, literally crushed by
Chinese People's Liberation Army, PLA, tanks, and killed by troops. And it is the pivotal moment in
China in recent decades because the regime becomes obsessed with threats to internal stability
and that dissenters, critics could be trying to overthrow the regime. And so then you get this
idea, the fear growing in China that the internet is a Western Trojan horse. It's something that's
going to be brought into their country, the internet, and it's going to subvert the country
by promoting free speech, political change, Western ideas. And so they're going to do their
best to stop that happening. And that's probably true, right? That seems like a reasonable fear,
you know, for a authoritarian political system, the internet, open communication that will undermine
your political power. Yeah, and you can actually hear it from Western leaders at the time.
If you go back to the kind of Bill Clinton Al Gore days in the 1990s, they talked about how
the internet, as part of the forces of globalization, was going to bring reform and democratization
to lots of countries. Of course, if you're the communist regime in Beijing, you're like,
I'm not sure, not sure how we feel about that. So they're going to build what becomes called
the Great Firewall of China to deal with this threat.
from the internet. Interesting enough, some Western companies help give them the technology. But it's
basically border control for the internet, rather than someone checking your passport. It's checking
what internet traffic is coming into the country. And means, if you went into China in this period
and searched for Tiananmen Square, you'd get nothing. If you looked for certain websites, they'd be
blocked. I mean, I remember being in China, I mean, as late as 2013. And suddenly the TV news would just
suddenly stop because it was something that was considered sensitive in China. So they're going to
these efforts to block what they see as subversive material getting in. And they're very conscious
that America and the West dominates the Internet. I mean, you know, another story that I remember
people in China telling me was that there's this moment in 2004 where they got a fright
about their dependence on Western technology. And that was because Microsoft was trying to
clamp down on pirated versions of the Windows operating system.
And lots of people had pirated copies, sold them illegally, and were using them.
So Microsoft came up with this idea, which was anyone who's operating an unlicensed version,
their screen would kind of go black, and a message would appear saying,
you're running a pirated copy.
The problem in China was that literally everyone, including every government department,
was using a pirated copy of Windows.
And so suddenly there is this moment where all the screens, you know,
in government departments everywhere in China go black with this message.
you're running a pirated copy of window. So you can see why, if you're in China, you suddenly
go, hang on a sec, a Western company just effectively showed that they have the ability to
turn us off. You can see why that's pretty scary. This is going to be a story about cyber espionage,
but it's really a story about how the Chinese can sort of use the internet, use the tools of
this digital domain to control their own population. So even as that spread sort of beyond its
borders, thinking about China's relationship with Microsoft or as we'll talk about with Google,
it's really an inward-looking set of interests, isn't it? That is driving a lot of these concerns
and driving a lot of the external behavior is this kind of like, how does this affect us in China?
I think that's absolutely right. If you look at China's intelligence posture and everything
it does, its primary concern is about domestic stability. So, you know, they're going to start to
worry about Western technology. They're going to say to Microsoft, well, if you're going to operate in this
country, then you have to share some of your source code, which Microsoft will do at special
centers. Other countries that want to go into business and sell in China, like Apple,
you know, have to comply with Chinese laws. But of course, Western companies at the same time
are desperate to get into the Chinese market. I mean, doesn't take a genius to work out why.
Western companies are so interested in getting into the Chinese market. It's big.
It's a giant market. That's right. And most Western companies, I have the sense,
Whether they did it quickly or whether they sort of hemmed and odd were ultimately willing to concede to the kind of concerns or stipulations that the Chinese government had about what they'd have to do to get access to the market, right?
I mean, most U.S. companies, international companies, were more than willing to do that because they have an obligation to shareholders to earn money and to make profits.
And that's why they exist.
Yeah.
And certain companies are excluded.
So social media companies are never kind of allowed in your, your Twitters, your exes and things like that effectively.
But Google is a really, really interesting case, and it's at the heart of our story.
So Google founded in a garage famously in 1998 by Larry Page and Sergey Brin.
It's just like our podcast founding story, right, Gordon?
Yeah, found in the garage.
I don't think we've yet to become billionaires, though.
Not yet, but we've got the garage bit down.
Yep.
So it's founded as a search engine in the late 90s.
If it's been growing, 2004, crucially, again, for this story, they're going to launch Gmail, the kind of mail service.
And these are hard to remember, more optimistic days of the internet, as you said earlier.
Google's mission statement is to organize the world's information and make it universally accessible and useful.
And the company also has a more informal motto, which is, don't be evil, which I thought was the CIA's motto, actually.
But Google baby got it from there.
That's the unofficial motto of the CIA as well, yeah.
And sometimes we struggle with it, Gordon.
Sometimes we struggle.
It goes back to the Snowden world, doesn't it?
And it's that era of internet idealism, of which Snowden was a kind of extreme proponent.
But it is that idea that the internet is going to provide a free flow of information.
It's going to liberate people, including those under more repressive regimes.
It's going to be a force for good and for freedom.
So Google starts looking at entering the Chinese market around 2005.
And so you get a very complicated debate in the company itself.
about how far it should or shouldn't operate in China, because China, as we heard with the Great
Firewall censors information. And so they're tensions. Now, Sergey Brin, one of the founders,
is an interesting figure here because he had actually been born in the Soviet Union.
His father, who'd been an academic, had tried to emigrate at one point, had been denied
a visa. They'd had the police come to their house. They'd had surveillance on them, the KGB, all those
things. He's grown up with this kind of awareness of what a repressive society looks like.
Eventually, the family emigrate, I think when Sergey Brin is six, and he ends up eventually in
California and starting Google. But it does leave him with that legacy of kind of a different
perception of it. So when you get that debate within the company, I think he is on the more
cautious end about going into China. But others are saying, well, hang on a sec. This is our mission
is to make information accessible, including to people in China, even if you have to make compromises.
And I guess it does seem particularly hard for like a search company as opposed to, I mean,
if you're providing widgets into the Chinese market, or if you're Apple and you want to sell phones.
Like, I guess in theory, it's easier to make some compromises in China to get access to the market
than if literally your company's sort of whole purpose is to provide open information, right?
I mean, social media sites, search companies like Google, it seems like that tension would be far greater.
I think that's right. It is a different China. It's a China before Xi Jinping.
It's a China where you can believe it is opening up. And we're looking at it now in hindsight, where we know it's going to become more repressive.
It was a responsible stakeholder. It wasn't that the term used in sort of the late 90s, early 2000s that we will sort of ensnare the Chinese in a thicket of commercial relationships and international organizations and political.
ties and eventually the nature of the regime will change a bit.
Oops.
How did that work out?
Anyway, at the time, let's go back to kind of the mid-2000s, there's a compromise.
So Google gets a license to create Google.c.N.
So that's the Chinese version.
But it's going to abide by the requirement to censor certain search results.
It says it will do that according to Chinese law, but it will put up a disclosure notice
saying when it's done that, and it's going to host an uncensored U.S. hosted site.
It seems like the Chinese government would not appreciate that very much to have the disclaimer
and then literally the link to go to the other site.
And so this tension.
From 2007, you start to get the censorship requests coming in.
Now, some are the kind of stuff you see everywhere, including, you know, in the UK and elsewhere,
pornography, illegal activities, but there's also kind of requests for political information
to be removed.
Things like Tibet, things like Tiananmen Square, in all about 1% of search results are blocked.
But 2008, though, Olympics in Beijing and things get more tense because the Chinese government is pushing for more censorship because they're worried about protests.
US executives are unhappy about this in Google, but they think maybe it's temporary for the Olympics, but it doesn't end after the games.
There's more and more search terms, more and more content requests, often embarrassing stories about officials are the things that are getting asked to get taken down.
It's like a big row in 2009, apparently after one Politburo's standing committee member in charge of propaganda, discovered that if he entered his own name into Google, a raft of critical results turned up.
And he was like, something must be done about this.
He should get used to it.
Anyone these days who Googles themselves, you're just asking for trouble.
You are.
You are.
But this is, again, this is early days.
And this is probably, I would imagine most Chinese officials were not used to putting their names into open sort of databases and getting back a whole bunch of nasty reviews of their.
of their political activities. I mean, I guess you see kind of a push and pull and maybe more
and more tension building then in the relationship between China and Google. So I guess this
brings us, Gordon, to mid-December of 2009. And it brings us to the Googleplex, as it were,
Google's headquarters in Mountain View, California. It's December 14, 2009. Let's see,
Young McCloskey, Gordon, is feverishly working inside the bowels of Langley somewhere, just for context.
Gordon Carrera, what's young Gordon Carrera doing in mid-2009?
Very young Gordon-Carray.
It's working in the BBC then at that time.
I think probably in West London, but not in an office like the Googleplex.
I'll read this lovely and colorful description of the Googleplex, and you can tell me how similar it was to BBC headquarters.
So the Googleplex was known for its playful and underage.
conventional design elements, including a T-Rex skeleton named Stan, a giant rubber duck,
and a variety of colorful, quirky decorations.
Employees enjoyed a range of amenities, such as free laundry facilities, two swimming pools,
volleyball courts, and numerous cafeterias offering a variety of food options.
Maybe you only had one swimming pool at the BBC, Gorda.
It was volleyball, then a swim, then some free food in the cafeteria, and then to my desk for a little
bit of light work.
A little bit of light work.
Sitting on like one of those giant like balls.
Yeah, so you got the core workout while you were while you were working.
Yeah. While wearing sandals.
That was the Gordon career of 2009.
But that is, I think, a fair reflection of life in the Googleplex.
I'm sure Langley was like that as well.
Yeah.
So December 14, 2009, among the Googlers, because that's what they're called,
is a woman called Heather Adkins, who's part of our story.
So she's managing a security team.
She's been at Google already for seven years since 2002, so it's very early on in the company.
And one of those people who got into cybersecurity, because she's kind of innately curious about how hackers work.
I've met her as well as being a cyber ninja.
The key thing you need to know about Heather is she's a serious medieval historian who knows a lot about English churches.
And I once tried to kind of ask her about churches in part of England.
And I realized she knew, like, infinitely more than I did from my tiny bit.
of undergraduate medieval history, and I was like, oh, okay. But actually, what's interesting
is she will say there is a link between medieval history and cyber security. Okay, I'm excited
to hear it. Which is, and it's a good, I think I buy this, which is, studying medieval
history is about taking fragments of information, because only fragments have survived
the past, and then you have to kind of extrapolate out from those tiny details to build a
picture of what was happening. It's a kind of detective work.
which is similar in a way to cyber security.
So I think there is a link there.
But anyway, 2009, most of the work for the security team
is dealing with criminals, stealing credit cards,
and just kind of nuisance hackers who want to show they can take Google offline.
Four o'clock on this day, December the 14th, 2009,
she comes out of our last meeting, goes back to her desk.
There's lots of people from the security team huddled around a screen talking.
It's a hive of energy.
Hey, what's up, she says, you'll never believe what we found.
and they found something on the Google network.
So inside the systems.
Now, who do they think it is at first?
They say, we've caught the interns doing naughty stuff.
That's the first reaction.
That should be everyone's first reaction.
That's like, that's 99% of the problems.
When you were an intern at CIA once?
I mean, like, I'm guessing you didn't do.
Yes, I was.
I mean, just a few years before this, I had been an intern at CIA.
Did you hack the CIA system?
No, no, that was frowned upon.
And, yeah, I was, I was.
excited about the prospects of full-time employment, and I felt like, in addition to not having
the capability, is that if I had attempted to hack anything at the agency, I might not have
gotten a job. So I was kind of, I was, I was very well-behaved. That's their first response
is like, it's interns showing what they can do, because I guess that's the hacker culture.
Hackers famously are people who want to just show that they can mess with things and what they
can do. But they pretty quickly realize as they pull at some of the threads, that it's much
more serious. It's not the interns. It's not the interns.
Someone is inside their system doing things they certainly shouldn't be.
I mean, initially, someone from the securities team, Tim Dwen, thinks only one machine's compromising
against worse.
The bad guys have got everywhere.
It's a massive breach of the corporate systems, basically.
The hackers are in.
They're moving fast.
They're changing tactics.
They basically have never seen anything like this in Google.
And they've got no playbook for how to deal with it.
All right.
So there with the interns off the hook, let's take a break.
And when we come back, we will see how they point the finger at China.
See you after the break.
Hi, David here from The Rest is Classified.
The very exciting announcement for our U.S. listeners.
My new novel, The Persian, is available now.
Now, this book takes readers deep into the heart of the shadow war between Iran and Israel.
The protagonist of this book, Cameron Svahani, is a dentist living out a dreary existence in Stockholm.
And he agrees to spy for Israel's Foreign Intelligence Service, the Mossad.
He proves to be a very skillful asset, helping.
Massad smuggle weapons, run surveillance, conduct kidnappings. But when Cam tries to recruit an Iranian
widow, seeking to avenge the death of her husband, the operation goes terribly wrong and lands
him in prison under the watchful eyes of a sadistic officer whom he knows only as the general.
Now, after enduring three years of torture and captivity, Kamran Svahani sits in an interrogation
room across from the general, preparing to write his final confession. Now, Cam knows it is
way too late to save himself, but he has managed to keep one secret, and if he can hold on to it,
but he might at long last find redemption.
The book is available now and can be found wherever books are sold.
Do be sure to stick around at the end of this episode
because I'll be reading an excerpt from the Persian.
Well, welcome back.
The team at Google H.Q, the Googleplex in Mountain View, California,
has just realized they have a serious breach on their hands.
They now need to dig into this, Gordon,
and find out who actually is responsible and maybe even most importantly,
just how sort of deep this breach is into their systems.
Yeah, because they're realizing it's bad.
So Heather Adkins, who's running the security team,
hands a list of machines that they think might have been compromised
to other members of the team,
and they have to go physically pull the hard drives from across the Google campus.
And this is in the middle of the night, in the dark, in a rental car,
and they're running around with flashlights, grabbing machines, which they can then pull
to do for forensics. At first, they try to unscrew the hard drives, and then they realize
that's going to take too long. So they just pull out the whole machine and just put it in the
trunk of the car and drive off. I mean, it sounds more like a heist than a security investigation.
I guess that's what you're going to do. One thing we didn't actually talk about, how did they
actually spot this? I mean, what were they seeing that led the security team to believe
that there had been the serious breach? Well, they are a bit cagey about that because I've spoken
to a lot of the teams. And I think one of the things I think it's fair to say is that they had
very good monitoring on their own systems to look for anomalous behavior and to see something
unusual. And that's more normal nowadays. But I think in those days, that was fairly unusual.
And Google, being a tech firm, had the ability to just spot something.
But we don't know the exact trigger for it.
But they are going to be able to do the forensics to find out where it came from.
And that's partly going to come from this investigation.
They're kind of moving very quickly on.
So they're taking the hard drives.
They're leaving post-its saying, security was here.
We've taken your machine.
Please call this number.
Which, again, sounds like something you do if you were stealing them.
And if some poor Googler called it, said, why's my machine been taken?
They're not going to be told why.
they're just told security has taken your machine.
And then the security team create a war room, which is first just one room,
but then it's going to go to two rooms, three rooms,
then a whole building for the investigation.
And they're going to actually have to build their own network,
their own separate network in that building,
stringing cables between the rooms,
like being a startup all over again, one of them describes it,
in order to be able to communicate without using the system,
which they know the hackers are in and which has been compromised.
And what's interesting as well is that the founders of Google are going to get involved and take a close interest.
Sergei Bryn, as we mentioned, one of the founders, worried about surveillance, gets a desk to sit with those working on the investigation.
So they're building up a picture of what's happened to find the single point of entry used to get into the network, to get the foothold.
And eventually they find it and they see the attackers had looked for someone in Google's China team who had good access to the systems,
but crucially was using the Microsoft Internet Explorer web browser.
I don't know if you remember that one.
It might be before your time.
No, I do remember that one.
I do remember that one, which I guess seems strange,
given that I think Google had Chrome by this time, right?
So they're using Chrome mainly internally now.
Chrome's about to be rolled out to the outside world.
But internally, they're already using Chrome,
and everyone is supposed to be using it.
So whoever the attacker was had to find someone
who was using Internet Explorer,
and then they have to work out who that person knew in the company and who they communicated with,
they then hijacked the personal account of a colleague of their target
and then uses that personal account to send an instant chat message to the target,
the one who's using Internet Explorer.
And the crucial thing, I guess, is that it's not an out-of-the-blue email or instant message,
like a scam one, but it's someone who you're regularly chatting with.
So you're exploiting that trust.
and, of course, what's in the message is a link.
I feel like about 95% of personal cybersecurity advice boils down to don't click on links, essentially.
But the Chinese essentially, though, have found a vulnerability in Microsoft Explorer, I guess,
in Internet Explorer, right?
Yeah, what's called a zero day, and the jargon of zero day means it's zero days since it's been discovered.
So normally if something gets discovered, you then say how many days since it's been discovered
and then therefore patched.
Patched means the vulnerability is dealt with, is closed up.
So if you update your system, it won't be exploited.
And a zero day means the zero days since it's been found.
It's a kind of weird bit of jargon.
But it basically means it's an undiscovered weakness in your system that the attackers can go in.
And then they're going to use that to infect that computer.
They can install a Trojan, which is a machine which kind of secretly can take control of your computer.
And you can then operate the computer remotely.
and it's stealthy so that the attackers
traffic back to their command and control systems
look like ordinary web traffic
and then they're going to use that foothold
from that one computer to kind of explore
the Google corporate network
and to kind of move around it
and be able to do what they want to do.
And I guess it's immediately clear then
to the security team at Google
that this is pretty high-level
kind of cyber tradecraft,
I guess you could say,
because I would imagine at this point in time
that most of the attacks
they're dealing with are from individuals or groups who are kind of using known, I guess,
exploits or weapons.
And in this case, they're being attacked with something they didn't even know existed,
which would suggest it's very sophisticated, and frankly, probably that you would need
money to buy it or to invest to discover it, right?
So this is a pretty well-organized group.
Yeah, because zero days aren't cheap, so either you're going to buy it and they are not cheap,
or you've got a team of developers who are kind of able to look for them.
So, yeah, immediately you know that it's big.
The war room's going to grow.
So if we're about six weeks, it's going to grow to about 250 to 300 people involved.
Google are calling in all their own internal experts.
Some are in holiday in New Zealand, and they kind of told to come back home to help with it.
They try to hire some people outside experts,
and they bring in experts from cyber security companies.
Particularly there's someone from McCaffey,
which is a kind of well-known company called Dmitri Aperovich, who is then a youngish cyber expert,
but goes on to be one of the leading figures in cyber security. And I was talking to him just a
couple of days ago, just remembering this hack, because it's a pivotal moment in cyber security
and actually in his kind of history. And he remembers analysing some of the malicious code
inside the systems. And he sees a word in the malicious code. And that word is Aurora.
And Aurora also happens to be the name of the battleship.
which helped start the Russian Revolution in 1917, the shot heard around the world.
So he decides, Dmitri decides, this is going to be the name for this attack,
and that's going to stick.
So it's going to become known as Aurora.
And Google are kind of reaching out to all the experts it can, who are experts on cyber espionage, trying to do it quietly.
Sergei Bryn calls one of the leading experts, a guy called Ron Dybert, who runs Citizen Lab in Canada.
It's a group which helps protects activists from being spied on by states.
It's got a good book out called Chasing Shadows, where he remembers being called by Sergey Brin himself,
you know, one of the Google founders and told to keep it confidential, being told Google's been hacked,
can you help? And it's kind of interesting. Ron in his book kind of reflects, well, his job is to protect
activists, not companies. And yes, it looks like, as we'll come to, maybe activists with a target.
But whose job is it to protect Google? Because Google, at one point, you're also going to go to the FBI
and going to be put in touch with the NSA. But it becomes an interesting question.
at this time, which is, is it the government's job? Is it Google's job? And I think that, especially
when you're being hacked by a very sophisticated adversary, which might be a nation state,
this is going to be a kind of recurring question over this period, which is whose job is it
to defend against foreign states if you're a big tech company?
Part of the structural problem, though, is that in the cyberspace, you can't be perfect, right?
You cannot be perfect on your defense. And when you have a really well-capitalized, organized
adversary, if they really want to find a way in, like, they're probably going to.
It's a hard question because, you know, I would say it's sort of Google's responsibility
to defend themselves, but then after you've been sort of attacked or breached, then it
becomes the responsibility of, you know, the NSA or the FBI to help determine who's
responsible and to see if anything can be done about it. But it's messy, right? It seems like
an area where the law and the bureaucracy hasn't caught up with the realities of the
technology. Even now. Yeah, even now, let alone in 2010. I mean, previously, the only people
who've really been hacked in this way by foreign states would have been defense companies
who work very closely with the government and the intelligence agencies anyway. So,
they're going to kind of be communicating and talking about it. But this is suddenly different
when you've got a kind of consumer-facing company, effectively Google, getting hacked by a state.
I think that's one of the reasons why this is kind of such a big moment. So the investigation is
drawing all of these people in, but it's also got to be really secret. And of course,
the reason is the adversaries, the hackers, are in the system. And so, you know, it's so
interesting, isn't it? They are living inside Google's network. So if you send messages around
Google's network saying, these machines are infected or here's what we're going to do about it,
they can see it. It's like a mole hunt. Yeah, knowing you're penetrated by your adversary.
And therefore, you know, like we've seen in some of the other episodes, we've done like that
kind of Gordievsky story, you have to create a team.
which is cordoned off from the rest of the organisation
who can do it without communicating more widely
in case the moulds, in this case they're online,
can see what you're doing.
So it's kind of a super secret investigation.
But crucially, they can see,
because they're now up on the attackers,
they can see what the hackers, the adversaries,
are doing inside Google systems.
And they can see what they're looking for.
I mean, they can see them using Google's internal
search engine and what they're typing in it, what they're Googling within Google. And that's going
to make clear it's certainly espionage. And in this case, it's, I guess, to go back to the original
kind of geopolitical point we raised on China, which is their intense interest in sort of internal
security, I mean, they're going after particular Gmail accounts and trying to obtain long-term
access to them through sort of the underlying source code that govern the system and access to it
and all of that. Yeah, that's what's so interesting about it is it's definitely not criminal they can see from
this point, nor is it the type of hacking we sometimes associate with China where it's simply
intellectual property theft where they're trying to steal the corporate secrets like the negotiating
position or how you build your widgets so that you can copy it in China. This is much more targeted
and it is, yeah, it's about Gmail accounts, but also I think this is so interesting. They are looking for
the source code that Google uses to run its systems so that they can get long-term access to
g-mails of their targets. So some of the reports, and Google never comments on all the
details, was that they were targeting the password system that controls access to devices known
as Gaia. You can see why that would be valuable. They're looking for the signing certificates.
That's what verify software as legitimate and as have been provided by Google, when it gets
downloaded on someone's machine. If you can steal sign into certificates or fake them, then you can
download onto people's machine in the long-term. This is all the kind of stuff, which gives you
long-term stealthy access to systems and your targets. Now, Google think they got them early enough
before they could establish that long-term access, but they could also see when they start looking
at it, they can see that the hackers have used other means, so rather than not getting through Google's
internal systems, but to get to some of their targets who have Gmail.
accounts, traditional phishing emails, malware on their computers. They can see that they found
other ways of hijacking the targets of their computers. And they got into kind of dozens of
US-China and Europe-based Gmail users. And basically, the common thread with all of these
is that they are advocates of human rights in China. According to the FT at the time, two accounts
used by the dissident artist. I. Weiwei are being attacked. The contents read and copied. Another
person was a student at Stanford. And I spoke to that student years after the attack, and they were a
Tibetan activist at Stanford who'd been organizing protests in the US related to the 2008 Olympics in Beijing,
and they and their fellow activists have been getting these emails from each other, which they
know they hadn't sent. And obviously, this is all part of that campaign to go for people who China
sees as a threat to their stability at home, partly because they're advocating from abroad for
human rights. Does Google know at this point what entity in China might be responsible? And I guess
maybe said a little bit differently, are they backing into the fact that it's the Chinese
based on the targets at this point? Or is there something else that's suggesting that this is
coming from China? Because I guess in theory could be anybody, but once you take a look at who
they're looking at, you can kind of assume. Yeah. Yeah. I mean, there's going to be some other
technical indicators which point to China, I think particularly to two colleges in China, which are
relevant. And it is interesting, isn't it? Because it's a cyber espionage campaign, but it's not
targeting CIA officers or government officials or your classic espionage targets, but dissidents.
And I mean, I think that just goes back to the kind of Chinese mindset. And some of their first
ever cyber attacks, first cyber attack to breach the UK foreign office. I think it's 2002 or so
is linked to Tibetan activists. And they're kind of going through the foreign office and going
through links to do with a Tibetan conference.
So you can see right from the start, that is the prime focus, particularly in this period,
of a lot of espionage, which is coming out of China.
And that is so clear from the targets of this Google attack.
But there are some signs that they're looking a little bit more broadly, too,
because they're interested in, oh, you know, for example, like the legal discovery
portals where Google gets requests for surveillance data from kind of law enforcement and government,
Right. So whatever group is doing this, the taskings that they're getting the direction they're getting is a little bit beyond just the activists as well, right? There's a broader interest in sort of mining what Google has, which makes sense. As long as they've got access to the systems, why not take what they can?
I mean, that one about the legal discovery stuff is, I think, really interesting because this is the portal where inside Google, if the FBI or the Pfizer court, which authorizes kind of warrants for surveillance of spies and terrorists and others, if the court says, effectively, we want to wiretap someone and we want access to their Gmail, then that gets sent to Google and then Google have to provide access. And they can see, these are the reports which come out afterwards, which Google have never themselves kind of comment.
on, but that certain names have been queried by the hackers to see whether they are in that
portal.
In other words, whether there are surveillance requests on them.
Now, those wouldn't be dissidents.
No, it would be like Chinese intelligence officers under commercial cover or assets of
Chinese intelligence in the U.S. who might be under suspicion.
So that seems like a spot where maybe multiple Chinese services had peaked into this and
sort of tasked the team that actually had access to pull different sorts of things
based on what they wanted. Because that seems like something the Ministry of State Security,
which is the more externally focused Chinese intelligence agency, would have great interest in.
If they knew that a cyber unit in the PLA in the military had this kind of access to Google.
Yeah. If you've got some agents in the US, you can suddenly see whether they are under surveillance
by the FBI, because you can see where the FBI is asked for a warrant on them.
So it's a kind of smart counterintelligence game.
And actually, one of the things that they discover during this investigation is it's not just Google that's been hacked, but other companies as well.
It looks like Microsoft was hacked as well, also looking for this kind of information.
But also lots of other companies, Adobe gets hacked.
And it looks like, again, there they're looking for source code, which might have allowed them if they got that to then find vulnerabilities in Adobe software, which is downloaded by lots of people again, kind of a way of getting long-term access to machines.
So in all that, I mean, at least 20 companies have been hacked.
It's discovered as part of Aurora.
And it looks like Google are like at the tail end of this hacking operation.
And it's just they're the ones who kind of spotted it and discovered it.
And there's all these other companies, which as they pull the thread, they suddenly go, oh, they've been hacked too.
Some of the defense companies, software companies, hardware companies, seems to be a lot in that world.
But they've all been hacked.
And they realize this is a big operation, which has been going on for years, led.
it looks like by China.
And I guess the question then is, what in the world is Google going to do about this,
now that they've got this team, hundreds of them, sitting in this sort of outbuilding
on their own network, watching the Chinese state muck around in Google systems,
what in the world do you do about it?
And maybe there, Gordon, it's a good spot to end.
And when we come back, we will answer that question and see exactly how Google takes it to the Chinese state.
One more thing, though, David, as a special bonus for members of the declassified club,
we have a Googler who's going to come on, not just any Googler,
but the president of global affairs for Alphabet, which is Google's renamed parent company.
Kemp Walker, who was part of Google at this time of Aurora and looks after their kind of external affairs for the company.
And he's going to be on to talk about Aurora hackers, foreign states, China, all those exciting things.
So that's one for members of the club.
You can join at the rest is classified.com.
See you next time.
We'll see you next time.
Hey, this is David from The Rest is Classified again.
Here's that short excerpt from my upcoming novel, The Persian,
which is available now wherever books are sold.
And even though I'm the one reading right now,
the audiobook is wonderfully narrated by Fajar al-Qa-easy.
I hope you enjoy.
Where am I, General?
Kamranas Fahani loads his questions with the tone of slavish
deference, because, though the man resembles a kindly Persian grandfather, he is in the
main, a psychopath. The general is looking hard at Cam. He plucks a sugar cube from the bowl on the
table, tucks it between his teeth and sips his tea. Cam typically would not ask such questions,
but during the three years spent in his care, hustled constantly between makeshift prisons,
he has never once sat across from the general, clothed properly with a steaming cup of tea at his
fingertips, a spoon on the table, and a window at his back. Something flashes through the general's eyes,
and it tells Cam that he will deeply regret asking the question again.
It has been over a year since the general last beat him or strung him up in what his captors
called the chicken kebab, but the memories are fresh each morning.
Can can still see the glint of the pipe brought down on his leg.
I can still remember how the pain bent time into an arc that stretched into eternity
and how that glimpse into the void filled him with a despair so powerful that it surely has no name,
at least not in Persian, Swedish, or English, the three languages he speaks.
And he's got more than the memories, of course.
He's got blurry vision in his left eye and a permanent hitch in his stride.
What is the spoon doing here?
Spoon? 2,721 consecutive meals have been served, without utensils, on rubber discs, so Cam can
help but blink suspiciously at the spoon. A mirage? An eyeball scooper? A test? Perhaps the general
plans to skin the fingers that pick it up. The general calms his fears with a nod, a genuine one,
which Cam knows looks quite different from the version he uses for trickery, for lulling him into
thinking there will be no physical harm. Cam puts a lump of sugar into his tea and slowly picks up
the spoon. He stirs, savoring the cold metal on his fingertips. He sets it down on the table and
waits, listening to the soft metallic wobble as the bowl of the spoon comes to rest. You will write it
down again, the general says. He is rubbing the gray bristle on his neck, and Cam follows his eye
contact as it settles on the portraits of the two Ayatollahs looking down from the wall above.
When Cam was a child, the sight of the Ayatollah's frightened him, it still does. He looks away.
You will write it again, and you will leave nothing out. It will be comprehensive and final.
Final? Cam considers another question.
The general's silent gaze screams,
Do not.
The first drafts, right after his capture three years ago,
were utter shit, like all first drafts.
To call them stories would be like calling the raw ingredients spread across your counter a meal.
No, they were just a bunch of facts.
Information wrung from his tortured lips and committed to bloodstained sheets of A4 paper.
But Cam knows he's being too hard on himself.
As a dentist, his writing had been limited to office memorandums and patient notes.
As a spy, his cables adopted similarly clinical tones.
Just the facts, Glitzman, his handler, the man who'd recruited him to work for Massad like to say,
leave the story to someone else.
Mossad had preferred he write in English, not Swedish.
The general, of course, demands that he write in Persian, and it is in Persian that Cam has found his voice.
Now the cell becomes Cam's scriptorium.
In his dragging, tedious Persian script, he writes the Quranic inscription, in the name of God,
Honesty will save you.
across the top of the cover page.
Cam knows that the general appreciates
this self-talk reminder right up front.
Beneath it, Cam titles this is the first part
of his sworn confession, and then
signs his name. Someone will fill in the date
later, because though he does not know the date
today, he also knows not to ask.
The general's men will fill in the location
for their own files. He writes the number
one in the top left corner. But which
story should he tell? The general said it was
to be his masterpiece. Perhaps the best
of each, he thinks. He would also like to write
something the general will let him finish.
he would like to reach the end.
Across hundreds of drafts, no matter the type of story,
Cam has only managed to write one version of the end.
It is the part he fears the most.
Someday, he has told himself,
someday he will write a new beginning to the bleakness of the end.
Will he find it here on this last attempt?
A prisoner can dream, he thinks.
As always, Cam completes a final ritual before he starts this draft.
He imagines writing down his last remaining secret in crayon
on one of these A4 sheets right in front of him.
One secret.
Three years in captivity, Cam has held on to only one.
Then he pictures a wooden cigar box.
He slides the paper with the secret inside.
In the early days of his captivity, he locked the real secret written on imaginary paper in the imaginary cigar box into an imaginary safe.
But the general's man broke into every physical safe in his apartment, and Cam thought he should also improve his mental defenses.
He now pictures the cigar box with his secret incinerated on a monstrous pyre, the lights and heat so fierce that every dark corner of his brain burns bright as day.
This way, Cam's not lying when the general asks him if he's been truthful.
If the story is complete, he's written it all down, has he not?
The prisoner cannot be held responsible for how management handles the papers.
Cam presses the crayon to the paper and begins.