Malicious Life Podcast: China's Unrestricted Cyberwarfare Part 2

In China's Unrestricted Cyberwarfare Part 1 we explored the story of two Chinese military officers, veterans of the semi-conflict with Taiwan, who helped shape the role of cyber in modern warfare in China and beyond with special guest Lieutenant Colonel, USMC (retired) Bill Hagestad, a leading international authority on cyberwarfare and Chinese cyber operations and capabilities specifically.

In part 2, we look at how - in the early 2000s - Nortel was consciously, intentionally, and aggressively positioning itself as a partner and a friend of China. At the same time, it was China's number one target for corporate espionage - and an early victim of its new 'Unrestricted Warfare' doctrine - check it out...

 

Malicious Life Podcast
About the Author

Malicious Life Podcast

The Malicious Life Podcast by Cybereason examines the human and technical factors behind the scenes that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution, with host Ran Levi interviewing hackers and other security industry experts about hacking culture and the cyber attacks that define today’s threat landscape. The show has a monthly audience of over 200,000 and growing.

All Posts by Malicious Life Podcast
ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

China's Unrestricted Cyberwarfare Part 2 Transcript

In part one of this mini-series on China’s Unrestricted Warfare, we described how two Chinese military officers, veterans of the China-Taiwan conflict, helped shape the role of cyber warfare in China and even in the US. I also introduced you to Ren Zhengfei, Huawei’s founder, who was determined to support China’s growth and geopolitical strength – perhaps as a way to prove his loyalty to his mother country, since his parents once supported the “wrong” side in China’s internal conflict back in the 1940s. 

 

NEW WAR

The fundamental thesis of Unrestricted Warfare can be identified in the following quote:

“[. . .] the new principles of war are no longer “using armed force to compel the enemy to submit to one’s will,” but rather are “using all means, including armed force or non-armed force, military and non-military, and lethal and non-lethal means to compel the enemy to accept one’s interests.”

In unrestricted warfare, anything and everything can constitute a weapon of war. A computer can be a weapon, or a diplomatic alliance, a person, a news report or a business deal. 

Even cooperating with the enemy can be a method of defeating them, if they don’t know what you’re actually up to.

 

NORTEL 2000

In the year 2000, Nortel Networks set up a showing at Security China 2000–the country’s premier trade show for internet and internet security. They were among some 300 companies from 16 different countries, all vying for the lucrative deals to help China build its nationwide network infrastructure.

Despite all the competition, Nortel’s pitch stood out. For one thing, Western companies had a major technological advantage over China’s own properties. A company like Nortel was simply in a different league from, say, tiny Huawei.

But Nortel stood out even among its Western counterparts, because while other companies at least paid lip service to creating a “free” and “open” Chinese internet, Nortel got straight to the point. Their presentation at Security China centered around “OPTera”–quote: “[a] personal internet initiative [. . .] designed to enable Internet service providers to better track individual Internet users and their online activities.” End quote. Nortel spoke the language of their prospective buyers, boasting in their marketing package, quote: “Imagine a network that knows who you are, where you are, and can reach you whether you’re on your mobile phone or at your desktop.” 

Nortel won a 10 million dollar contract–not much, in the scheme of things–but that was just the beginning of a fruitful partnership with the Chinese Communist Party. In addition to OPTera, they sold what was called “JungleMUX”–a digital surveillance network which connected security cameras from around Beijing, sending the feeds to a centralized police HQ. (Think Big Brother, but on a small scale.) Most important of all, arguably, was Nortel’s co-authorship of the research project that would eventually form the basis for the Great Firewall project.

Suffice it to say: the company was consciously, intentionally, aggressively positioning itself as a partner and a friend of China. They were willing to do what was necessary to be part of building the world’s largest intranet. Which might explain an otherwise very illogical thing they did that very same year.

 

MICHEL KATSUYA C. 2000

It all started with Michel Juneau-Katsuya. 

Michel Katsuya used to be an officer for the Royal Canadian Mounted Police, and he does look the part. With short, slick blonde hair, blue eyes, a square jaw and thick, beefy neck, he could pass as a T.V. cop, or a former linebacker. By the year 2000, he was serving as the Asia-Pacific desk chief for the Canadian Security Intelligence Service–basically, Canada’s CIA. In that capacity, he was responsible for keeping tabs on China and what threats they might pose to, say, Canada’s biggest corporation. 

Right around the time Nortel was preparing their entry into the Chinese internet market, Katsuya performed a threat assessment on their behalf. He determined that they were not only a target, but possibly China’s number one target for corporate espionage.

And the word “target” here may be a little misleading, only insofar as it suggests China was preparing to spy on Nortel. The evidence indicated, rather, that they’d already begun. Katsuya found, quote, “unusual” and “quite interesting” traffic between Nortel’s internal network and destinations in China.

So Katsuya set up a rendezvous. He later recalled, quote: “We went to Nortel in Ottawa, and we told the executives, ‘They’re sucking your intellectual property out.’” He later recalled how his audience responded to the news. Quote: “we were brushed off [. . .] I think they basically didn’t want to hear about it. They were with the Chinese and China was a fantastic opportunity.”

Nortel was making a big investment in the world’s fastest-growing market. Whatever Katsuya thought was happening wasn’t important enough to threaten that. As a result, instead of confronting China, or meaningfully addressing their cybersecurity, Nortel chose a different path. Katsuya summed it up succinctly. Quote:

“They didn’t do anything.”

 

2004 DISCOVERY

Four years after Michel Katsuya visited Nortel, an employee at the company’s U.K. branch had a very strange day at the office.

It began when he visited “Live Link,” a service his company used to store documents and other sensitive material. He was there merely to check up on who had accessed his files recently.

He certainly didn’t expect to find that the company’s Chief Research Officer–Brian McFadden–had downloaded some of his files. And a rather odd selection of them, too. This employee had no particular relationship with McFadden, who worked across the ocean in Ottawa. So he sent an email, offering to answer any questions McFadden might have had about all that material. McFadden replied: He had no idea what this was in reference to, and did not recall downloading any such documents.

 

2004 INVESTIGATION

It was certainly fishy, so the employee summoned some guys from the security team to take a look. When the security team dug into his Live Link data, the logs suggested that this incident was just the tip of an iceberg. From Bloomberg, quote:

“Hackers had stolen [Brian McFadden’s] password and those of six others from Nortel’s prized optical unit, in which the company had invested billions of dollars. Using a script […] the intruders swept up entire categories from Nortel’s systems: Product Development, Research and Development, Design Documents & Minutes, and more.”

The “more” in that sentence refers to everything from emails to sales data, business plans and even Nortel’s highly secretive source code. Sometimes, the seven zombie accounts would download massive troves of documents all at once. Brian Shields, one of the experts who analyzed the data, recalled, quote: “They were taking the whole contents of a folder—it was like a vacuum cleaner approach.”

In one case, for example, it was 8:48 in the morning on a Saturday and the CEO of the company, Frank Dunn, had sent 779 seemingly random files to IP addresses that clearly did not belong to Nortel computers. (Interestingly, Dunn was fired four days after that leak occurred, on April 28th. The former wasn’t the result of the latter–he was already going to be fired for some shady accounting, and the executive board that fired him wasn’t yet aware of this leak. Was it just a coincidence that these two events occurred so close together? Maybe. But consider this: a great time to steal lots of sensitive CEO data is right before that CEO gets fired–when they’re distracted, and won’t have much time to notice or fix what’s happened. Did the hackers use this reasoning to time out their attack? Did they have such good insight into Nortel’s day-to-day operations that they knew when the head of the company would be fired before he did?)

The IP addresses Dunn’s account sent those 779 files to were registered to one “Shanghai Faxian Corporation.” A closer look into Shanghai Faxian revealed that not only did they have no business with Nortel, but they weren’t even a real business. Just a shell company. A shell company concealing something much more serious. From The Globe and Mail, quote:

“[The IPs] were clustered into a tiny pinprick of cyberspace. He was stunned because it looked like a room filled with web servers. Whoever was behind these hackers, Shields believed, seemed to control China’s internet.”

Shields reflected on the moment he realized what he was up against. Quote: “It hit me like a ton of bricks.”

But there was one more discovery that, perhaps, trumped all the others. Something that would’ve shocked anyone besides Michel Juneau-Katsuya: that, according to the server logs, the breach had actually begun years ago. In the time since the Iraq War began, since the invention of camera phones and The Sims and R. Kelly’s “Ignition,” hackers had apparently maintained persistent access to the highest levels of Nortel’s internal networks. Either nobody noticed, or nobody did anything about it.

Brian Shields, like Michel Katsuya four years prior, went to his bosses with the kind of news he expected would knock their socks off. But if their socks were even a little knocked off, it didn’t show. The company decided to change the passwords for the seven compromised high-level accounts, and that was about it.

Of course, the attackers had already installed backdoors onto company machines, so changing passwords was the cyber equivalent of changing the combination to a bank vault after a thief dug a tunnel leading straight underneath.

 

BRIAN’S LOBBYING 2004-2008

Long after everybody else had moved on, Brian Shields never quite got over what happened. It was too serious, too unresolved. The hackers, after all, were never actually kicked off the network. Nothing had actually been solved.

A short guy of medium build, with blonde hair balding in the middle, Brian spent months trying to nail the perpetrators that few others seemed to care about. All he could do, though, was watch as they committed ongoing data theft. According to ZDNet, every month or so, a “small burst of data” would travel from the infected Nortel computers to the servers at “Shanghai Faxian.” It wasn’t anything drastic, like 779 documents transferred all at once at 8 in the morning. It was, rather, a little reminder–that the attackers were still around, and could do what they pleased.

In November, 2007, Brian finally got his chance to speak with several company executives. In a meeting that lasted several hours, he tried to convey the severity of what they first found in 2004, and what seemed to be a continuing, existential threat to the company. The execs told him to prepare an audit report, and he did, early the following year. But the report didn’t really go anywhere. It likely never ended up being seen by the CEO or the other decision makers at the company. Even if it had, it’s unlikely they would’ve done much, considering, you know, the entire story up to this point.

 

BRIAN GOES ROGUE

Finally, in 2008, Brian Shields decided he’d had enough. After years of watching the company get sucked dry, he had his Jason Bourne moment. He threw away the rulebook, and decided to infiltrate his own CEO’s computer. From the Financial Post, quote:

“[H]e had spent a day just before Christmas 2008 digging through the Web browsing history of then CEO Mike Zafirovski, known to colleagues as ‘Mike Z’. Mr. Shields was convinced there were criminals working on behalf of China’s Huawei Technologies Co. Ltd. accessing the CEO’s files, but his hunch hadn’t been enough for his immediate bosses to grant him direct access to the top man’s PC.”

As Brian suspected, he was the merely second hacker who was in Mike Z’s computer. He recalled, quote:

“I went through about two months and, sure enough, I found that right in the middle of a Yahoo session he had some activity go over to Beijing that didn’t fit in with any of the other URL information that was showing up. It didn’t belong there, it just didn’t. This was rotten.”

In lieu of support from his colleagues, Brian teamed up with a third-party investigator. Together, they found what Nortel’s own anti-malware experts couldn’t: rootkits.

Rootkits, for those of you unfamiliar, are some of the nastiest kinds of malware out there. Where ordinary malware acts like other software–running in the application layer of your machine, just doing things you don’t necessarily want it to–rootkits go deeper. They’re often found in the kernel of a computer–the very core of your operating system, the hub where everything about your machine comes from. As an analogy, if ordinary malware is like breaking a leg, rootkits are like developing a brain disease. They have the power to do just about anything, and stay totally out of sight, as even antivirus programs don’t usually access such deep levels of a machine.

It’s no wonder, then, that none of the Nortel personnel infected with these rootkits realized they were being spied on. That hackers had persistent remote access and were monitoring their internal communications. It explains, to some extent, why Nortel’s own anti-malware experts failed to spot the evidence (everyone besides Brian, of course). It also explains why, even after finding the rootkits, Brian and his partner still didn’t quite know how to get rid of them. The partner noted, quote:

“Brian would wipe the hard drive of one of the machines and re-image it, then we did a second memory image within five minutes. It was a lot cleaner but I still found a couple of artifacts that told me the rootkit was still there. So it was something sophisticated that was able to survive a reformat of the system.”

 

REPORTING HIS FINDINGS

Brian took his new findings to Nortel’s IT security manager, requesting permission to inspect CEO Mike Zafirovski’s computer more thoroughly. According to his recollection, the manager replied as follows. Quote:

“Mike Z is a very busy man, he is trying to sell business units and we can’t be slowing him down and trying to interrupt him with memory dumps of his computer.”

Brian left empty-handed. Quote:

“I hit myself in the head,” Mr. Shields said. “[Mr. Zafirovski] wouldn’t have even known [the memory dump] had happened. It would have slowed his machine down for maybe 10 minutes.”

In a later Wall Street Journal article, Zafirovski clarified why Brian’s pleas had been brushed off so easily. He told reporters that Brian had a tendency to quote, “cry wolf.”

It certainly might’ve seemed like he was crying wolf. In 2004, he tried warning everyone that Nortel was hacked. He did it again in 2005, in 2007, in 2008. But, as he later noted, quote:

“I may have been crying wolf. That is what my boss was thinking, but the problem was, there was a wolf.”

 

FAILURE TO DISCLOSE

Not long after, in 2009, Brian Shields was fired from his job. The job he’d been working at for two decades. His partner in the investigation called the timing, quote, “really suspicious.”

Of course, we can’t say exactly what happened. One could imagine, for example, that Brian’s firing had nothing to do with how his CEO felt about him, or his progress in uncovering their cybersecurity failures. Because that year, Nortel filed for bankruptcy. Their stock dropped 79%. Employees and company assets were being let go left and right.

If we are to entertain the “suspicious” view, however, it might be worth pointing out how Nortel handled their cybersecurity issues during their bankruptcy proceedings.

In bankruptcy, companies have to do yard sales for all their various assets, so that investors can recoup some of what they’re owed. Like with yard sales, companies are expected to be forthright about not just what assets they’re giving away, but what condition those assets are in. If you sell your neighbor a toaster but, when they bring it home, it doesn’t work, that neighbor’s going to be ticked off.

Two companies–Avaya and Genband–purchased parts of Nortel’s business, including Nortel computers, which they then connected to their own networks. According to the Wall Street Journal, Nortel allegedly did not disclose to these buyers that the computers they were buying may have been compromised by Chinese state actors.

The conspiracy here would be that Brian Shields was fired because he risked revealing that the toasters were broken to potential buyers. It may have been less dramatic than that, though. Recall that, despite many attempts, Brian never really grabbed the attention of the upper echelon at the company. It could be that, even after 10 years, Nortel’s management still didn’t really get it. When asked whether they purposely defrauded buyers by withholding information about their breach, CEO Mike Zafirovski said the company quote, “did not believe it was a real issue.”

Remarkably, he may have been telling the truth.

Even as Nortel was pawning off its assets in bankruptcy proceedings, questions remained regarding who the Shanghai Faixan hackers were, why they wanted Nortel’s secrets, and why they were so successful. The reason it was so difficult to answer these questions is because the Nortel breach was merely one small part of a much larger story. One piece of evidence in an entire crime scene. One offensive in a much broader unrestricted war. From ‘Unrestricted Warfare,’ quote:

“War in the age of technological integration and globalization has eliminated the right of weapons to label war and, with regard to the new starting point, has realigned the relationship of weapons to war, while the appearance of weapons of new concepts, and particularly new concepts of weapons, has gradually blurred the face of war. Does a single “hacker” attack count as a hostile act or not? Can using financial instruments to destroy a country’s economy be seen as a battle? Did CNN’s broadcast of an exposed corpse of a U.S. soldier in the streets of Mogadishu shake the determination of the Americans to act as the world’s policeman, thereby altering the world’s strategic situation? [. . .] Obviously, proceeding with the traditional definition of war in mind, there is no longer any way to answer the above questions. When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war: Warfare which transcends all boundaries and limits, in short: unrestricted warfare.”

When entities within China targeted Nortel, they didn’t just hack some computers. They began an unrestricted war. A war employing all kinds of people and organizations and methods, each picking apart a different limb of the rotting corpse of a once-great technology power.

Coming up in Malicious Life, we’re going to go behind the scenes of the Nortel attack. It’s going to be a lot bigger, and a lot weirder than the episode you just heard.