One frosty January morning, it dawned on Laura Galante that the secret mission she’d been working on would lead her right into the heart of world politics, and soon. She was sitting in a suburb of Washington DC, in an office with white walls, empty shelves and large windows. It was the year 2013 and Galante was tired, as so often during that time. Quite apart from the difficult mission she was working on, she was also pregnant. Together with a small team she was trying to uncover something. No one besides them and their boss were allowed know about it, not even within their own company.
This, it occured to Galante while a cold wind sweeped across the empty streets outside, will change my life. She was about to make a global power into a personal enemy.
It was only a few months ago that she had received a phone call. A computer security company was looking for specialists able to filter specific electronic data out of a huge amount showing how exactly criminals and governments attempt to overpower other states. She didn’t have to consider for very long.
The boss, Kevin Mandia, a man in his early 40s with a square face, previously a U.S. Air Force officer, had an air of fearlessness. And she had exactly what he was looking for. She was 28 years old, a fast talker and was said to think just as fast. She had a degree in Politics and Law and had previously been analysing cyber attacks in the US Department of Defence.
This is how Galante became a warrior in an invisible war, the cyber war.
She is now head of her department at FireEye, an American company for computer security. Her clients are companies, known worldwide by almost every child; other clients include public authorities, Ministries and Governments. All of them can potentially come under fire in this new conflict. They get attacked by dangerous and destructive weapons which can’t be seen, heard or smelled. This war isn’t loud and bloody, it is fought on screens, with keyboards and fibre optics. Whoever loses control of his computers, loses power. This is where Laura Galante comes in.
Sitting at their computers, the enemies send out malware through the Internet. They send instructions to external computers, often in email attachements. This is their way to steal passwords, email correspondence and documents, mostly unnoticed; this is how they gain access to the computers of generals and ministers to record conversations; this is how hackers manipulate elections or paralyse government authorities and power stations. These are attacks meant to damage what keeps countries together at their very core: their economy, their internal security, everyday life.
This conflict has intensified steadily over the last years; right now, it looks as though it might be stearing towards escalation. Espionage, sabotage, destabilisation are all happening already, every day. The question is what comes next. How long will it take until someone reprogrammes drones or sabotages a nuclear programme?
Galante has a special programme on her computer which opens a map of the world. On this map, there are yellow and green arrows, moving from one country to another, from one continent to the next. This shows her where the attacks are happening, which country the attackers are in, and which country the attack is aimed at. Over the next weeks and months a lot of those arrows will be pointing to Germany. The German secret services warned the chancellery weeks ago: there will be an election in September, having an effect on the world order of the future.
„German election will probably be interfered“
German government is preparing for cyber attacks
Quelle: Die Welt
This means that Germany will become part of an unequal fight, where the attacked countries face a problem they didn’t have on the battlefields of the past: they’re under attack, but they don’t know who the attackers are. They are dealing with phantoms, hiding behind acronyms or pseudonyms, leaving behind red herrings and disguising their origin. Most states won’t admit that they are part of the cyber war, even less what kinds of troops or arsenal they might have at their disposal. Exposing the enemy takes months, sometimes years, if it happens at all.
Special units with hightech forensics
Governments therefore recruit their own cyber warriors and employ highly specialised companies to destroy dangerous Internet programmes, ideally before they can cause any damage. These companies have special units with hightech forensics who will even find and secure traces where supposedly there were none. Their warriors roam through the digital underworld, under false identities, in order to find incriminatory evidence. They analyse hard drives and dissect viruses and other malware; they need to find out who sent out which cyber weapons – and from where.
There are hundreds of those companies worlwide. But when things become serious Laura Galante’s company is first choice. FireEye has become a power in its own right, some even say it is a kind of Blackwater of the Internet. The company has 3,200 employees, amongst them former spies, high-ranking secret service agents and US-Government employees, and it has an annual turn-over of almost 600 millionen Euros.
The reputation of the company is partly down to the secret mission that Laura Galante received from her boss in January 2013. Together with her special cyber unit she managed to do something that’s rarely been done before.
Nine data experts and cyber agents, as well as several undercover agents, uncovered something that up until then only extremely experienced security experts could even imagine. They exposed a very well-organised, state-run secret army, equipped with hundreds, if not thousands of cyber soldiers, which had spent years of spying on and fighting against a global power with mind-blowing precision. Back then they were working for a company called Mandiant, which was then taken over by FireEye.
This case says a lot about the state of our world and about how cyber war works. It shows the immense effort states have to make in order to harm their enemies. Usually, no one ever hears about these battles; cyber warriors don’t talk, not least to protect themselves. But Laura Galante is prepared to tell the whole story.
It was the Summer of 2012 when Mandia, her boss, came up with a plan. He’d had his company for eight years now. His computer specialists, some of them in their 30s, had grown up with a Commodore 64 or an Atari-Computer and had worked on thousands of cases. They had been called in to help when big companies were being attacked, in Europe, Asia, but mainly in the US. They analysed malware, read codes and found the server or IP-addresses of the attackers. Slowly, but surely they understood the character of the hackers and were able to reconstruct when and how they managed to infiltrate external computers. And finally, they wrote their reports for each case.
Mandia knew that this meant that they had collected a whole treasure of data and information. The thing he was missing was the link connecting all these cases. A bigger picture which would show him what was really happening on the dark side of the web.
He decided to employ a number of specialists from the Government, people who knew how to make sense out of a seemingly inextricable cluster of codes, commands and IP-addresses, and to extract something that would help them understand the plans and motives of the attackers better. One of his new elite soldiers was Laura Galante.
She moved into an office just about big enough for a desk, a small, round coffee table for meetings and a bookshelf. On her laptop she would order and filter data, looking for similarities, and draw dozens of graphs on her flip chart to keep track. Some of her colleagues woulnd’t even bother going home anymore, they would just fall asleep on their office floors whenever they needed a rest.
Hackers were extremely disciplined
After a few days, and many meetings later, based on clues they found in the forensic reports and on tracks they found in the Internet, they finally had a pretty good idea who it was they were after.
After examining hundreds of cases they came across a group of hackers more insatiable and bold than any they had dealt with before. This group managed to infiltrate 150 companies and organisations over the last few years. First, they were after companies like Coca-Cola or the "New York Times". But after a while they also started targeting governments and companies managing power supplies, gas pipes and waterworks; all things that are essential for running a country. One of those companies runs more than 60% of oil and gas pipes in the US, others included high-tech, defense and aerospace companies.
The hackers were extremely disciplined. After breaking into computer networks they just settled in there for months, sometimes even years, without being noticed. Whenever they wanted something specific they seemed to know exactly where to find it. That way, they were able to steal pretty much everything that’s supposed to stay secret: business plans, calculations, contracts, technical blueprints and construction plans for new products, even for high-tech weapons. And of course emails and contacts of managers and employees.
It was clear to Galante and her colleagues that they were dealing with several hundred terrabytes of data. If they were to print all of it out, they would end up with more than a billion A4-sheets, a pile much higher than the Himalayas.
Galante and her colleagues were certain that only a state trying to spy on another would work in such a methodical way. It had to be a wealthy state as well: it takes a lot of money to put together a troop able to fulfill such a mission over years.
Galante knew that there weren’t many possible candidates.
There’s a rumour that’s been going round the government district of Washington DC, half an hour drive from her office. The US-government is said to be very concerned. They don’t fear the nuclear command centres in Moscow anymore, like they did in the Cold War. They now fear servers in China or Russia, being used by an army of specialists, with the knowledge of their governments – or maybe even by their command.
There’s also been a dossier around for weeks, written by all of the 16 US secret services, which Galante has read. It says that there are some Chinese hacker groups operating as contractual partners of the Chinese military; and that there are also some, which are actually lead by military officers. Amongst them is supposed to be a unit number 61398, supposedly a part of the second bureau of the People’s Liberation Army, section 3.
To all of Galante’s knowledge, this section hasn’t appeared in any official documents. But the forensics doing the preliminary work for Galante’s team have found something interesting.
How they keep direct and reliable control
The hackers used practically the same digital high-tech weapons for all their attacks; even the way they executed their attacks had been identical. And the traces they left behind were leading to Asia.
When hackers want to take over an external computer network they have to make a number of decisions. For example how to sneak in and give commands to those computers. They can deposit this information within the code of their cyber weapons. This enables them to keep direct and reliable control. Or they decide to link together several computers to clusters, so-called botnets, in which all computers constantly send out and forward commands. This leaves considerably less traces of data which could be followed by cyber warriors such as Galante and her colleagues. They are practically invisible.
In this case, the hackers decided for the second option, but they still left some traces. Their codes, and the times when they stole something or updated their programmes contained information, clues, which Galante and her colleagues were able to pursue.
The code of the malware was written in perfect English. But the spam emails used by the attackers to get access to external computers showed some grammatical mistakes that suggested they weren’t written by a native speaker. The fact they they worked Monday to Friday during office hours also pointed towards that fact: their working hours, almost like punching the clock, were within the time zone of China.
Galante had to think about this. These were very interesting leads, but no real evidence. After all, she knew how easy it was to hide within the Internet, to put out misleading tracks. They needed more.
Once more she scrolled through the forensics’ technical reports on her laptop and arranged them again using her special programme. Her colleagues started reading China’s five-year plans, which they had obtained and translated, and looked through official Chinese sources in the Internet. Slowly they started to see a pattern behind the attacks.
The hackers had created an enormous machine to cover their identities; over the last couple of years alone they had used almost 1,000 command-and-control-servers and almost 900 different IP-addresses. Almost all the parts of this machine, the servers and the IP-addresses were registered in China. The data also showed that the hackers mainly used two big servers to control their attacks. These were also located in China, in Pudong, a suburb in the North-East of Shanghai.
In that suburb stands a white high-rise building which had made Galante curious. It has 12 floors and is surrounded by restaurants, massage parlours and a wine merchant. It is like a tower with narrow windows like loopholes. The tower is secured with surveillance cameras and to get in you have to go through security first. There are pictures and videos on the Internet which show a conspicuous amount of young men in dark green uniforms in front of the tower – the uniforms of Chinese soldiers.
Galante could hardly believe what it said
Galante and her colleagues had a suspicion that seemed outrageous: This tower, they believed, could be the seat of the ominous unit 61398, a command centre and one of the largest arms factories of cyber war worldwide. In some remote corners of the Internet they found further evidence that the hackers were working under Chinese military – and therefore the government in Beijing. They had to use special programmes again to restore old version of some websites which had been overwritten.
One document that seemed of particular value was an internal letter of a Chinese telecommunications company. Galante could hardly believe what it said.
The Chinese military, it’s unit 61398, had built the tower only a few years back as Galante’s colleagues found out through satellite pictures which showed the different building phases. But the letter said that the tower had been given special technical equipment, so secure that all telephone calls and emails of the military would stay confidential. The tower had a floor space of 130.000 sqm, enough space for about 2,000 employees.
This letter made Galante’s most important speculations into certainties. To top this, they also found out that unit 61398 was hiring the best computer scientists and IT-technicians from well-known elite universities and put special value on good knowledge of the English language.
One late night in the office of a colleague and friend, Galante asked him the question: "How certain are you that we are drawing the right conclusions and haven’t missed anything important?“
"One hundred percent certain", was his answer.
What they found out about the tower wasn’t everything: The hightech forensics had found something else, something rare. They managed to find the human being behind one of the pseudonyms, with habits and weaknesses, one of the potential suspects. It all pointed towards the fact that he had played a key role in the attacks against the USA.
He called himself "UglyGorilla". There were email addresses and servers registrered in that pseudonym, many of which were used for attacks against the US. He seemed to have programmed some of the cyber weapons that the hackers used himself. In his code they found a signature, with a little greeting to his victims at the end, written in bad English: "No Doubt to Hack You, Writed by UglyGorilla".
Galante’s colleagues found an email address and restored comments that he had posted in certain forums. They worked out that "UglyGorilla" had been active in the digital underground since at least 2004. Still, he made a mistake that shouldn’t really happen to an experienced professional like him. He started to leave a signature behind, sometimes even a name: Jack Wang. Maybe he was so sure of himself that he thought no one would ever catch him; maybe he just didn’t care. Galante and her colleagues thought it possible that Jack Wang was his real name.
Where was the bigger picture behind the details?
Most importantly, his tracks and those of two other hackers called "dota" and "SuperHard", which came up in many of the investigators’ reports, lead to Shanghai, directly to the white tower.
A little more than three weeks later, Laura Galante sat down in her office chair in a thoughtful mood. She was certain that they had everything they needed. Again and again she had drawn graphs on her flip chart, trying to find the bigger picture behind all the details, clues and suspicions. She had come across contradictions, inconsistencies. She had sat in countless meetings with her team, doubting their own results, checking everything over and over. Now, finally, everything seems to fit.
The facts didn’t leave any more room for reasonable doubt. The phantom they had been hunting was a Chinese cyber army. But knowing the truth was one thing; it was quite another to say it out loud. This was the moment when the cyber war would leave the digital world and their results would have real consequences.
They had caught a global power in the act of spying on another global power, the United States of America, their country, on a jaw-dropping level. They had summed up their results in a report, 74 pages long. Their boss seemed determined to publish the report. It would expose the Chinese government in front of the whole world. They would of course deny everything and try to make it look like a big American conspiracy against them. Their relationship with the US was, after all, already very tense.
This meant that Laura Galante and her colleagues, employees of a private enterprise company for computer safety, would get involved in world politics
What a huge responsibility, was all Galante could think.
Kevin Mandia, her boss, was also nervous. With all he knew now, China could easily ruin his company, or harm him and his employees personally. If the Chinese cyber army were to take on his company, they would be so busy to fight them off that there would be no time left for their daily business. Or, even worse, there would be pictures of his undercover investigators all over the Internet. A company for computer safety that isn’t able to protect itself would be finished in no time.
But Mandia simply couldn’t forget the anger he felt every time China denied unapologetically fighting the US in cyber space. He was a patriot, had left the Air Force because he couldn’t stand the rigid hierarchy. What his people had found out didn’t leave him any choice, he felt. Of course it was possible that he would harm his own country; but it was also possible that he would do it a great service.
He didn’t have to wait too long for an opportunity. On 12 February 2013, a Tuesday, President Obama gave his government declaration in Congress, saying that America was under threat, it’s national security in danger. He talked about hackers in China and Russia who were after American technologies and companies, those that make the American military the technically leading one in the world.
„We got off lightly in the end“
All of a sudden, the cyber war wasn’t just something that’s played out in secrecy anymore, watched only by a few nerds. The President of the United States had directed the attention of the American public towards the battle field of the 21st century. He talked publicly about what’s at stake, to be seen and heard by everyone, on television, the radio, the Internet.
Perhaps it was a coincidence that Galante’s boss was presented with this once in a lifetime opportunity, or perhaps there was something else behind it. Either way, Mandia knew what had to be done. The report that Galante and her colleagues had been working on for weeks, summarising the experience of his cyber warriors from over six years, ended up in the "New York Times". They decided to make it their cover headline, one week after Obama’s speech, with a long feature on a hacker group called APT1, a cyber division of the Chinese military.
Galante and her colleagues had needed a name; the acronym APT stands for "Advanced Persistent Threat". From then on it also stood for the fact that the US dared to publicly accuse another country of leading a cyber war against them, as clearly as it had never been done before by any state. High ranking members of the government and of the American security services proceded to confirm the facts that Galante and her team had found about China’s hackers.
Four years later, February 2017. Laura Galante watches from her office in Washington DC how planes take off in short cycles, soaring up into the perfectly blue sky."Thank God, we got off lightly in the end", she says. Whilst APT1 did attack her company, they clearly didn’t mean to destroy it completely. China has ceased to deny that they attack other countries with cyber weapons, and they have started diplomatic negotiations with the US. These are only words for now, but she can also see that the attacks from China have decreased considerably.
Stil – China is only part of the whole truth.
For quite some time now, Galante has been watching an enemy which worries her, her company and the US-governement much more than the Chinese by now. She is now constantly dealing with Russian hacker groups, called APT 28 or APT 29, Cozy Bear or Fancy Bear. Nothing seems to be able to stop them.
In January 2015 the server of the Department of Defense of the USA was hacked. Months later the White House admitted that Russian hackers had also managed to get access to Obama’s emails.
Then the French television channel TV5 Monde failed, there was only a black screen.
A few weeks later a group of unkown suspects broke into the server of the German Bundestag and stole a large amount of data.
Today, the National Security Authorities of several countries agree that Russian secret services were behind both cases.
Then, a computer virus was discovered in a nuclear power station in Gundremmingen, Germany.
She can say the word „Bundestag“
Finally, in November 2016, shortly before the presidential election in the USA, emails appeared that had been stolen by hackers from the office of Democratic candidate Hillary Clinton. The whole thing grew into an affair that possibly helped swing the votes towards Donald Trump. Obama held President Vladimir Putin personally responsible, expelled 35 of his spies from the US and imposed sanctions against Russia.
Galante has studied all the most important Russian hacker groups, their weapons, their methods, their goals, again and again. They say that no one in the US knows more about them. She also studied the attack on the government district in Berlin in detail; she can say the word "Bundestag" with hardly any accent at all by now.
She would need an office at least twice the size of hers to physically show the picture of the organisation that German intelligence agents and cyber experts have created for internal use. It is full of computers, servers, domain addresses and lots of technical terms.
There are times when Galante thinks about the incredibly strategic ways these Russian fighters operate in – as though controlled by an invisible power. It reminds her of the Chinese army in the white tower in Shanghai. Secret services all over the world are convinced that these Russian hackers work on behalf of Putin.
"Everything points towards that fact", Galante agrees.
However, there is an essential difference between China’s and Russia’s cyber warriors. It is the main reason why Galante is so worried. The Russian hackers are more aggressive than anything she has seen before. They have attacked ministries all over the world, military networks, embassies and arms factories. They don’t only spy, or steal secret documents, they manipulate elections and fabricate false news in order to put pressure on other governments.
Galante sees an arms race developing in cyber space, capable to unhinge the whole world. The president of the United States is under suspicion to have knowingly used the support of a Russian army of hackers to win the election. And the next aim of those Russian cyber warriors in their invisible war is likely to be Germany. The government district in Berlin and the party headquarters will be their target, everyone from German agencies and politicians to Galante herself agree on that.
Just recently one of the investigators came to Berlin and Frankfurt to get a better idea of the situation. When he came back, he had also learned to say a German word without accent. The word was "Angst" - fear.
