Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.
This is my fourth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends.  My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the U.S. National Security Agency (NSA) on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine.
This post summarizes China’s cyberwarfare and, in particular, its attack on Google. The Chinese government’s cyberwarfare initiatives use both army personnel and contracts with non-government hackers at Chinese universities and technology companies. This contracting with private hackers is similar to President Putin’s strategy in Russia, where cyberattacks had been outsourced to cybercriminals for years to give the government some marginally credible deniability of responsibility. As in Russia, many of the private hackers in China are likely to have been conscripted, rather than hired in the private market.
For years, the Chinese have been hacking into defense companies where they focus on stealing aerospace, missile, space, and satellite technologies, as well as nuclear propulsion and weapon information. They have also been hacking into a broad range of U.S. businesses and stealing intellectual property. A former Director of the NSA, Keith Alexander, called Chinese cyber theft the “greatest transfer of wealth in history.” 
In December 2009, now ancient history in the annals of cyber hacking, Google’s digital security team noticed an electronic intruder in their computer network. It was moving from computer to computer in what they called the fastest cyberattack they had ever seen. It had managed to breach what was one of the toughest digital security systems in existence at the time and was conducting a very sophisticated search across Google’s extensive computer network. As is often the case, the intruder’s access had been initiated by unsuspecting Google employees who had clicked on a link in a hacker’s phishing message. The link went to a website in Taiwan that put the hacker’s computer program, i.e., malware, onto the employee’s computer via a vulnerability in Microsoft’s Internet Explorer browser. The malware allowed the hacker to access the employee’s computer and Google’s network.
The attack was very sophisticated – the work of highly skilled, well-resourced hackers, not a small-time, individual cybercriminal. This was made clear by the hackers’ encrypting of their attacking computer program and obfuscating of their tracks, along with the expertise needed to use the Internet Explorer vulnerability.
Over a couple of weeks, Google assembled a team of 250 inside and outside security experts to counter the attack, and then determine who had attacked and what they were trying to accomplish. Team members worked 24/7 and December holiday vacations were canceled.
Eventually, the team’s work identified the attacker as a group contracted with by the Chinese government. It was being monitored by the NSA, which had code-named it “Legion Yankee.” It was one of the most active of the more than two dozen Chinese hacking groups that the NSA monitored. These groups had attacked U.S. government agencies, technology companies, think tanks, and universities in attempts to steal intellectual property, military secrets, and correspondence.
As Google and outside security experts dug into the attack, they traced it back to Legion Yankee’s computer server and discovered that dozens of other U.S. companies had been attacked as well, including Adobe, Intel, Northrop Grumman, Dow Chemical, and Morgan Stanley. As Google tried to warn these other companies, they found it was hard to reach someone who would take their warning seriously and understand its implications. Many of the companies refused to acknowledge that their computer systems had been breached – not wanting the bad publicity.
Google and its outside experts also eventually figured out what the attacker was after: Google’s source code. This is the computer programming that runs the Google application – it’s what displays its screens when you access Google, it’s what runs the search engine and displays the results, it’s what determines what ads to show you and what to do when you click on an ad or search result, etc. Microsoft’s Windows computer operating system, which runs many of our computers, is probably the best-known example of source code, along with Apple’s Operating System (OS) or the Android software that runs your phone.
This kind of attack wasn’t about short-term gain, e.g., theft of money or information, this was a long-term strategy that could bear fruit immediately but also for years to come. The hackers would insert code into or change the programming of Goggle’s source code to allow them access to the information that was flowing through Google, to Gmail accounts, and also to the computers and networks that were using Google.
Ultimately, Google determined that Chinese government wanted to change Google’s source code so it would have long-term access to any Gmail account and that its interest was in accessing the Gmail accounts of Chinese dissidents, including pro-democracy activists in Hong Kong, Tibetan and Uighur Muslim dissidents, pro-independence Taiwanese, the Dalai Lama, and others. In other words, China’s goal for its most sophisticated cyberattack capabilities was to be able to monitor, threaten, and thereby control its own people.
U.S. State Department officials would eventually connect Legion Yankee and the Google attack to the Chinese government’s top security official, Zhou Yongkang, and to Li Changchun, a member of China’s top ruling body (the Politburo Standing Committee) and China’s top propaganda official. Li had reportedly googled himself and was not happy with what he found and, therefore, ordered the attack on Google.
My next post will summarize Google’s response to the Chinese attack: it made a big splash by publicizing China’s attack and pulling out of the Chinese market completely in 2010 – only to re-enter the Chinese market in 2016. Subsequent posts will outline the Perlroth book’s reporting on:
- The cyberattacks on U.S. elections and the Trump administration’s response, and
- What can be done to counter cybercrime and warfare at the individual and governmental levels.
 Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.
 Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021. page xix