This means that Germany will become part of an unequal fight, where the attacked countries face a problem they didnt have on the battlefields of the past: theyre under attack, but they dont know who the attackers are. They are dealing with phantoms, hiding behind acronyms or pseudonyms, leaving behind red herrings and disguising their origin. Most states wont admit that they are part of the cyber war, even less what kinds of troops or arsenal they might have at their disposal. Exposing the enemy takes months, sometimes years, if it happens at all.
Governments therefore recruit their own cyber warriors and employ highly specialised companies to destroy dangerous Internet programmes, ideally before they can cause any damage. These companies have special units with hightech forensics who will even find and secure traces where supposedly there were none. Their warriors roam through the digital underworld, under false identities, in order to find incriminatory evidence. They analyse hard drives and dissect viruses and other malware; they need to find out who sent out which cyber weapons – and from where.
There are hundreds of those companies worlwide. But when things become serious Laura Galantes company is first choice. FireEye has become a power in its own right, some even say it is a kind of Blackwater of the Internet. The company has 3,200 employees, amongst them former spies, high-ranking secret service agents and US-Government employees, and it has an annual turn-over of almost 600 millionen Euros.
The reputation of the company is partly down to the secret mission that Laura Galante received from her boss in January 2013. Together with her special cyber unit she managed to do something thats rarely been done before.
Threat map in FireEye’s headquarter
Quelle: Jason Andrew/JA
Nine data experts and cyber agents, as well as several undercover agents, uncovered something that up until then only extremely experienced security experts could even imagine. They exposed a very well-organised, state-run secret army, equipped with hundreds, if not thousands of cyber soldiers, which had spent years of spying on and fighting against a global power with mind-blowing precision. Back then they were working for a company called Mandiant, which was then taken over by FireEye.
This case says a lot about the state of our world and about how cyber war works. It shows the immense effort states have to make in order to harm their enemies. Usually, no one ever hears about these battles; cyber warriors dont talk, not least to protect themselves. But Laura Galante is prepared to tell the whole story.
It was the Summer of 2012 when Mandia, her boss, came up with a plan. Hed had his company for eight years now. His computer specialists, some of them in their 30s, had grown up with a Commodore 64 or an Atari-Computer and had worked on thousands of cases. They had been called in to help when big companies were being attacked, in Europe, Asia, but mainly in the US. They analysed malware, read codes and found the server or IP-addresses of the attackers. Slowly, but surely they understood the character of the hackers and were able to reconstruct when and how they managed to infiltrate external computers. And finally, they wrote their reports for each case.
Mandia knew that this meant that they had collected a whole treasure of data and information. The thing he was missing was the link connecting all these cases. A bigger picture which would show him what was really happening on the dark side of the web.
He decided to employ a number of specialists from the Government, people who knew how to make sense out of a seemingly inextricable cluster of codes, commands and IP-addresses, and to extract something that would help them understand the plans and motives of the attackers better. One of his new elite soldiers was Laura Galante.
The code of evil
She moved into an office just about big enough for a desk, a small, round coffee table for meetings and a bookshelf. On her laptop she would order and filter data, looking for similarities, and draw dozens of graphs on her flip chart to keep track. Some of her colleagues woulndt even bother going home anymore, they would just fall asleep on their office floors whenever they needed a rest.
Hackers were extremely disciplined
After a few days, and many meetings later, based on clues they found in the forensic reports and on tracks they found in the Internet, they finally had a pretty good idea who it was they were after.
After examining hundreds of cases they came across a group of hackers more insatiable and bold than any they had dealt with before. This group managed to infiltrate 150 companies and organisations over the last few years. First, they were after companies like Coca-Cola or the “New York Times”. But after a while they also started targeting governments and companies managing power supplies, gas pipes and waterworks; all things that are essential for running a country. One of those companies runs more than 60% of oil and gas pipes in the US, others included high-tech, defense and aerospace companies.
The hackers were extremely disciplined. After breaking into computer networks they just settled in there for months, sometimes even years, without being noticed. Whenever they wanted something specific they seemed to know exactly where to find it. That way, they were able to steal pretty much everything thats supposed to stay secret: business plans, calculations, contracts, technical blueprints and construction plans for new products, even for high-tech weapons. And of course emails and contacts of managers and employees.
It was clear to Galante and her colleagues that they were dealing with several hundred terrabytes of data. If they were to print all of it out, they would end up with more than a billion A4-sheets, a pile much higher than the Himalayas.
Galante and her colleagues were certain that only a state trying to spy on another would work in such a methodical way. It had to be a wealthy state as well: it takes a lot of money to put together a troop able to fulfill such a mission over years.
Galante knew that there werent many possible candidates.
Theres a rumour thats been going round the government district of Washington DC, half an hour drive from her office. The US-government is said to be very concerned. They dont fear the nuclear command centres in Moscow anymore, like they did in the Cold War. They now fear servers in China or Russia, being used by an army of specialists, with the knowledge of their governments – or maybe even by their command.
US-government doesnt fear the nuclear command centres in Moscow anymore, like they did in the Cold War. They now fear servers in China or Russia.
Quelle: Google Earth/Google Earth
Theres also been a dossier around for weeks, written by all of the 16 US secret services, which Galante has read. It says that there are some Chinese hacker groups operating as contractual partners of the Chinese military; and that there are also some, which are actually lead by military officers. Amongst them is supposed to be a unit number 61398, supposedly a part of the second bureau of the Peoples Liberation Army, section 3.
To all of Galantes knowledge, this section hasnt appeared in any official documents. But the forensics doing the preliminary work for Galantes team have found something interesting.
How they keep direct and reliable control
The hackers used practically the same digital high-tech weapons for all their attacks; even the way they executed their attacks had been identical. And the traces they left behind were leading to Asia.
When hackers want to take over an external computer network they have to make a number of decisions. For example how to sneak in and give commands to those computers. They can deposit this information within the code of their cyber weapons. This enables them to keep direct and reliable control. Or they decide to link together several computers to clusters, so-called botnets, in which all computers constantly send out and forward commands. This leaves considerably less traces of data which could be followed by cyber warriors such as Galante and her colleagues. They are practically invisible.
In this case, the hackers decided for the second option, but they still left some traces. Their codes, and the times when they stole something or updated their programmes contained information, clues, which Galante and her colleagues were able to pursue.
The code of the malware was written in perfect English. But the spam emails used by the attackers to get access to external computers showed some grammatical mistakes that suggested they werent written by a native speaker. The fact they they worked Monday to Friday during office hours also pointed towards that fact: their working hours, almost like punching the clock, were within the time zone of China.
Galante had to think about this. These were very interesting leads, but no real evidence. After all, she knew how easy it was to hide within the Internet, to put out misleading tracks. They needed more.
Once more she scrolled through the forensics technical reports on her laptop and arranged them again using her special programme. Her colleagues started reading Chinas five-year plans, which they had obtained and translated, and looked through official Chinese sources in the Internet. Slowly they started to see a pattern behind the attacks.
The hackers had created an enormous machine to cover their identities; over the last couple of years alone they had used almost 1,000 command-and-control-servers and almost 900 different IP-addresses. Almost all the parts of this machine, the servers and the IP-addresses were registered in China. The data also showed that the hackers mainly used two big servers to control their attacks. These were also located in China, in Pudong, a suburb in the North-East of Shanghai.
Again and again Galante had drawn graphs on her flip chart, trying to find the bigger picture behind all the details.
Quelle: Jason Andrew/JA
In that suburb stands a white high-rise building which had made Galante curious. It has 12 floors and is surrounded by restaurants, massage parlours and a wine merchant. It is like a tower with narrow windows like loopholes. The tower is secured with surveillance cameras and to get in you have to go through security first. There are pictures and videos on the Internet which show a conspicuous amount of young men in dark green uniforms in front of the tower – the uniforms of Chinese soldiers.
Galante could hardly believe what it said
Galante and her colleagues had a suspicion that seemed outrageous: This tower, they believed, could be the seat of the ominous unit 61398, a command centre and one of the largest arms factories of cyber war worldwide. In some remote corners of the Internet they found further evidence that the hackers were working under Chinese military – and therefore the government in Beijing. They had to use special programmes again to restore old version of some websites which had been overwritten.
One document that seemed of particular value was an internal letter of a Chinese telecommunications company. Galante could hardly believe what it said.
The Chinese military, its unit 61398, had built the tower only a few years back as Galantes colleagues found out through satellite pictures which showed the different building phases. But the letter said that the tower had been given special technical equipment, so secure that all telephone calls and emails of the military would stay confidential. The tower had a floor space of 130.000 sqm, enough space for about 2,000 employees.
This letter made Galantes most important speculations into certainties. To top this, they also found out that unit 61398 was hiring the best computer scientists and IT-technicians from well-known elite universities and put special value on good knowledge of the English language.
One late night in the office of a colleague and friend, Galante asked him the question: “How certain are you that we are drawing the right conclusions and havent missed anything important?“
“One hundred percent certain”, was his answer.
What they found out about the tower wasnt everything: The hightech forensics had found something else, something rare. They managed to find the human being behind one of the pseudonyms, with habits and weaknesses, one of the potential suspects. It all pointed towards the fact that he had played a key role in the attacks against the USA.
He called himself “UglyGorilla”. There were email addresses and servers registrered in that pseudonym, many of which were used for attacks against the US. He seemed to have programmed some of the cyber weapons that the hackers used himself. In his code they found a signature, with a little greeting to his victims at the end, written in bad English: “No Doubt to Hack You, Writed by UglyGorilla”.
A white tower in the City of Pudong, Galante’s team believed, could be the seat of the ominous unit 61398, one of the largest arms factories of cyber war worldwide.
Quelle: Google Earth/Google Earth
Galantes colleagues found an email address and restored comments that he had posted in certain forums. They worked out that “UglyGorilla” had been active in the digital underground since at least 2004. Still, he made a mistake that shouldnt really happen to an experienced professional like him. He started to leave a signature behind, sometimes even a name: Jack Wang. Maybe he was so sure of himself that he thought no one would ever catch him; maybe he just didnt care. Galante and her colleagues thought it possible that Jack Wang was his real name.
Where was the bigger picture behind the details?
Most importantly, his tracks and those of two other hackers called “dota” and “SuperHard”, which came up in many of the investigators reports, lead to Shanghai, directly to the white tower.
A little more than three weeks later, Laura Galante sat down in her office chair in a thoughtful mood. She was certain that they had everything they needed. Again and again she had drawn graphs on her flip chart, trying to find the bigger picture behind all the details, clues and suspicions. She had come across contradictions, inconsistencies. She had sat in countless meetings with her team, doubting their own results, checking everything over and over. Now, finally, everything seems to fit.
The facts didnt leave any more room for reasonable doubt. The phantom they had been hunting was a Chinese cyber army. But knowing the truth was one thing; it was quite another to say it out loud. This was the moment when the cyber war would leave the digital world and their results would have real consequences.
Knowing the truth was one thing; it was quite another to say it out loud: Mandiants report on APT 1.
Quelle: Jason Andrew/JA
They had caught a global power in the act of spying on another global power, the United States of America, their country, on a jaw-dropping level. They had summed up their results in a report, 74 pages long. Their boss seemed determined to publish the report. It would expose the Chinese government in front of the whole world. They would of course deny everything and try to make it look like a big American conspiracy against them. Their relationship with the US was, after all, already very tense.
This meant that Laura Galante and her colleagues, employees of a private enterprise company for computer safety, would get involved in world politics
What a huge responsibility, was all Galante could think.
Kevin Mandia, her boss, was also nervous. With all he knew now, China could easily ruin his company, or harm him and his employees personally. If the Chinese cyber army were to take on his company, they would be so busy to fight them off that there would be no time left for their daily business. Or, even worse, there would be pictures of his undercover investigators all over the Internet. A company for computer safety that isnt able to protect itself would be finished in no time.
But Mandia simply couldnt forget the anger he felt every time China denied unapologetically fighting the US in cyber space. He was a patriot, had left the Air Force because he couldnt stand the rigid hierarchy. What his people had found out didnt leave him any choice, he felt. Of course it was possible that he would harm his own country; but it was also possible that he would do it a great service.
He didnt have to wait too long for an opportunity. On 12 February 2013, a Tuesday, President Obama gave his government declaration in Congress, saying that America was under threat, its national security in danger. He talked about hackers in China and Russia who were after American technologies and companies, those that make the American military the technically leading one in the world.
„We got off lightly in the end“
All of a sudden, the cyber war wasnt just something thats played out in secrecy anymore, watched only by a few nerds. The President of the United States had directed the attention of the American public towards the battle field of the 21st century. He talked publicly about whats at stake, to be seen and heard by everyone, on television, the radio, the Internet.
Perhaps it was a coincidence that Galantes boss was presented with this once in a lifetime opportunity, or perhaps there was something else behind it. Either way, Mandia knew what had to be done. The report that Galante and her colleagues had been working on for weeks, summarising the experience of his cyber warriors from over six years, ended up in the “New York Times”. They decided to make it their cover headline, one week after Obamas speech, with a long feature on a hacker group called APT1, a cyber division of the Chinese military.
Galante and her colleagues had needed a name; the acronym APT stands for “Advanced Persistent Threat”. From then on it also stood for the fact that the US dared to publicly accuse another country of leading a cyber war against them, as clearly as it had never been done before by any state. High ranking members of the government and of the American security services proceded to confirm the facts that Galante and her team had found about Chinas hackers.
Four years later, February 2017. Laura Galante watches from her office in Washington DC how planes take off in short cycles, soaring up into the perfectly blue sky.”Thank God, we got off lightly in the end”, she says. Whilst APT1 did attack her company, they clearly didnt mean to destroy it completely. China has ceased to deny that they attack other countries with cyber weapons, and they have started diplomatic negotiations with the US. These are only words for now, but she can also see that the attacks from China have decreased considerably.
Stil – China is only part of the whole truth.
For quite some time now, Galante has been watching an enemy which worries her, her company and the US-governement much more than the Chinese by now. She is now constantly dealing with Russian hacker groups, called APT 28 or APT 29, Cozy Bear or Fancy Bear. Nothing seems to be able to stop them.
In January 2015 the server of the Department of Defense of the USA was hacked. Months later the White House admitted that Russian hackers had also managed to get access to Obamas emails.
Then the French television channel TV5 Monde failed, there was only a black screen.
Putins shadow warriors
A few weeks later a group of unkown suspects broke into the server of the German Bundestag and stole a large amount of data.
Today, the National Security Authorities of several countries agree that Russian secret services were behind both cases.
Then, a computer virus was discovered in a nuclear power station in Gundremmingen, Germany.
She can say the word „Bundestag“
Finally, in November 2016, shortly before the presidential election in the USA, emails appeared that had been stolen by hackers from the office of Democratic candidate Hillary Clinton. The whole thing grew into an affair that possibly helped swing the votes towards Donald Trump. Obama held President Vladimir Putin personally responsible, expelled 35 of his spies from the US and imposed sanctions against Russia.
Galante has studied all the most important Russian hacker groups, their weapons, their methods, their goals, again and again. They say that no one in the US knows more about them. She also studied the attack on the government district in Berlin in detail; she can say the word “Bundestag” with hardly any accent at all by now.
She would need an office at least twice the size of hers to physically show the picture of the organisation that German intelligence agents and cyber experts have created for internal use. It is full of computers, servers, domain addresses and lots of technical terms.
There are times when Galante thinks about the incredibly strategic ways these Russian fighters operate in – as though controlled by an invisible power. It reminds her of the Chinese army in the white tower in Shanghai. Secret services all over the world are convinced that these Russian hackers work on behalf of Putin.
“Everything points towards that fact”, Galante agrees.
However, there is an essential difference between Chinas and Russias cyber warriors. It is the main reason why Galante is so worried. The Russian hackers are more aggressive than anything she has seen before. They have attacked ministries all over the world, military networks, embassies and arms factories. They dont only spy, or steal secret documents, they manipulate elections and fabricate false news in order to put pressure on other governments.
Galante sees an arms race developing in cyber space, capable to unhinge the whole world. The president of the United States is under suspicion to have knowingly used the support of a Russian army of hackers to win the election. And the next aim of those Russian cyber warriors in their invisible war is likely to be Germany. The government district in Berlin and the party headquarters will be their target, everyone from German agencies and politicians to Galante herself agree on that.
Just recently one of the investigators came to Berlin and Frankfurt to get a better idea of the situation. When he came back, he had also learned to say a German word without accent. The word was “Angst” – fear.