Inside China's most ambitious cyber hack — The Global Story

[0:00] Have you recently sent anyone a private message that you would rather were not published on the [0:05] internet? Well, some intelligence agencies reckon that ship may have sailed. A giant hack of data [0:12] carried out by a group known as Salt Typhoon may have targeted Donald Trump, J.D. Vance, [0:18] and potentially every American citizen. It's alleged to have been carried out by China, [0:23] but China denies any responsibility. Today on the show, we speak with a former high-ranking [0:29] official from the Biden administration. We ask her, how did this hack go unnoticed for so long? [0:36] And who's winning the global cybersecurity war? From the BBC, I'm Tristan Redmond in London. [0:43] Welcome to the Global Story on YouTube. To understand the scale of this data breach, [0:54] we turn to someone who is right in the thick of it. ASMA has been speaking to Anne Neuberger, [0:59] who was head of cybersecurity under the Biden administration. ASMA started by asking her, [1:05] what was her reaction when she first found out about the breach? [1:09] This would have been in the spring of 2024. So I was serving in the White House. So I was working in [1:18] the secure rooms in the White House where the National Security Council, where I serve typically [1:23] sits. It was a conversation with the chief operating officer of a large telecom, where he said to me, [1:30] you know, the Chinese compromised the system we use to track people who are maybe under investigation [1:37] by the FBI. So most countries have a way to determine if there's a particular person of [1:44] suspicion. There's a concern that they may be conducting a crime. There's a way for the telecom [1:50] systems to actually determine their communications. The Chinese compromised that. So essentially, [1:55] they turned our telecommunication systems into their espionage system. And that's when I realized [2:02] the potential scale. Because everything rides on telecom. A private communication I may have with [2:08] my mom, or a CEO may be having with another CEO as they negotiate a deal. Or for that matter, when [2:14] the president is talking to key senators on the Hill. Those all ride on our telecommunications. [2:20] And that is why telecommunications was such a target of interest to the Chinese government from [2:27] an espionage perspective. What exactly was this operation? The Chinese compromised telecommunications. [2:35] As I mentioned, telecommunications are the foundation of our digital infrastructure. [2:40] Private conversations, corporate conversations, national security secrets, all travel across a [2:46] country's telecommunications infrastructure. Encrypted and unencrypted. Both. Okay. And so, [2:50] this was across various telecom companies. Can you tell us a little bit about what those companies [2:56] were? And which companies you know, were targeted? I don't want to speak to individual companies. Okay. [3:02] But it was, it ranged from large global telecommunications firms, to really small regional ones near military bases, [3:09] who provided services to those bases. And hence the conversations that they carried, could be of interest to a foreign government as well. [3:18] And how did you figure out who did this? You mentioned that in that initial call you had [3:23] with them at a major telecoms company, that it was clear that this was the Chinese. [3:28] How did you all detect that it was the Chinese? So first, China has the, one of the most, if not the most sophisticated and large cyber hacking program in the world. [3:40] So some of it comes from the intelligence community and their insights. Okay. But often what we'll see is by pulling the thread from compromised systems to the systems those compromised systems talk with, when you pull that thread all the way back, you can often identify the set of techniques and the actors. Okay. Which often match a particular country. [4:02] Once you have figured out who did this, and it sounds like, uh, the telecom company had a sense of who it was. You all were able to confirm that additional information and said, okay, yes, this is, uh, these are Chinese actors. Um, was it clear to you that it, it went up to the Chinese government? [4:17] There are typically two types of actors in cyberspace. There's countries and criminals. Okay. [4:22] The technique we see criminals using is ransomware. They do it to make money. Okay. [4:28] They essentially lock a system and ask the company to pay a ransom, typically in cryptocurrency to unlock it. So that's the MO of criminals make money out of it. Okay. [4:39] The MO of compromise a system, carefully hide your tracks, stay in there for a long time. We believe the compromise of the telecoms could have gone on undetected for up to three years. [4:51] Wow. That's typically a country conducting espionage. [4:56] Three years prior to when it was detected. Yes. [5:00] For some of the telecoms. And that's a key point. Okay. [5:02] Because that meant that those telecoms had such spotty cybersecurity or such gaps in their cybersecurity, that there could be an attacker in their network for that long. [5:13] Now, the Chinese do a good job of compromising systems, hiding their tracks, but still that there could be an attacker in their networks for that long without being detected. [5:24] Got it. So just to be clear of what you're saying, it seems like part of what made it clear to you all that this is a state actor, [5:31] a country actor, is that this went so undetected. It went undetected for so long. And that a criminal would make themselves known because they want to get something out of it. [5:40] Exactly. Countries and criminals have different goals. [5:42] Interesting. [5:43] Countries want espionage or to preposition to cause trouble at a period of geopolitical crisis. Criminals want to make a buck. [5:50] And the country, you're saying, went undetected for quite some time. And in some ways you could argue, maybe would have preferred to remain undetected for many years to come. [6:00] Absolutely. [6:01] Okay. [6:02] The dream of intelligence operations is to collect intelligence for as long as absolutely possible. [6:07] So let's talk about what was actually obtained here. What is the most sensitive information that they got? [6:19] There were really three kinds of information. [6:21] Okay. [6:22] One, phone calls. Sensitive phone calls between, as you would expect, high-level policymakers, which could be of espionage interest to them. [6:31] Okay. [6:32] Second, you know, cell carriers or cell phone towers identify where the cell phones are. And if somebody's holding a cell phone, that helps identify where a person is. [6:44] So we believe they were able to potentially track persons of interest across the U.S. government. Maybe people the U.S. government was tracking as potential Chinese spies. Maybe people working at sensitive sites in the United States. [6:58] And then the third thing is individuals who the U.S. government may be monitoring via our telecommunication systems. [7:10] I see. There were reports that this hack allowed the Chinese government to spy on, as you say, government officials, also high-level politicians. Donald Trump's phone calls, for example. Is that accurate? [7:25] I won't identify any specific individuals, but people making a phone call on an open phone system without using an encryption application like WhatsApp, like Signal. [7:35] Yes. [7:36] Those phone calls, by the kind of access the Chinese had, could have been intercepted and collected. [7:42] Got it. So it's certainly plausible, even if you're not going to go there, that that could be, that type of phone call. [7:47] Based on the kind of access the Chinese government had, any phone call of interest, they could have made a copy of to take offline for broader intelligence. [7:55] Okay. And I know that officials told the New York Times that this hack may have stolen information from nearly every American. Is that true? [8:07] Everyone uses our phones, right? We use phones to communicate. We use phones to check in on our kids. [8:11] Yeah. [8:12] There's a broad swath of Americans, and by that matter, other citizens around the world, communications that was available to them to collect. And we know the Chinese do broad scale surveillance operations. [8:23] So not just Americans, you're saying, were affected here. It was people around the world. [8:28] We know that the Chinese compromised telecoms around the world. Yes. [8:31] Did you alert the president about this? [8:34] Yes. The president would have been briefed, as he routinely was, whenever there were major cyber incidents. [8:39] Okay. What was his reaction to this? Do you recall? [8:42] You know, as you would expect, the first reaction is, how could this happen? The second one is, how do we make sure it never happens again? And the third is typically, how do we convey to the foreign government that these kinds of activities aren't, aren't acceptable? [8:58] Okay. [8:59] You mentioned that you also, as part of the process of trying to let people know about the significance of this, you sort of quietly start alerting allies. How did you all do that? [9:15] Typically, the more sensitive things are shared by the intelligence community with intelligence agencies, the technical details. [9:22] Okay. [9:23] The bigger picture significance of this, you know, will be shared by myself or other colleagues in the National Security Council. [9:32] I pick up the phone and have a secure call with colleagues in key allied countries around the world. [9:40] Typically, the fastest way that we notify key partners is we'll get on a secure call or a secure video. [9:46] In a couple of cases, I did fly over to a particular country in order to walk them through in detail the seriousness of this and also to answer any questions. [9:59] I know at some point later, you all also briefed the press. For listeners who may not know, I used to cover the White House and I recall you talking to White House reporters. [10:10] I remember that moment, but I will also say to you candidly, I don't know that many of my colleagues understood this to be a very significant moment. [10:19] I don't know that a whole lot of stories actually came out in the press after that. [10:25] When you briefed the press and you held a couple of calls with reporters, what was the motivation there? [10:32] What were you all trying to accomplish? [10:34] There's a major national security threat playing out and we wanted to be transparent with the press and have them talk about this threat and help us in getting companies and citizens to understand the threat and act. [10:47] Do you think citizens understood? Probably a mix. [10:54] Those that are more technologically astute understood when we said, please use an encrypted app. [11:00] If you're having a sensitive conversation, use WhatsApp, use Signal, because then your communication is encrypted end to end and cannot be intercepted. [11:09] So some of this is happening and against the backdrop, just to remind listeners of a pretty competitive presidential election that's also happening. [11:18] This is the fall of 2024. Joe Biden, former president, decides not to run, but his vice president Kamala Harris does. [11:26] And we see all this happening. We then see Trump win the election. And just days before Trump's inauguration, I recall that you all sanctioned a couple of Chinese companies that you will believe were part of this hack. [11:40] And can you explain to me why you did that? [11:44] In some cases in China, China's cybersecurity companies also play a role in China's offensive program. [11:50] OK. And we want to make that clear that companies that call themselves cybersecurity companies should not be conducting offensive activity on behalf of their government. [12:00] I want to talk about what the consequences long term of this hack could be. [12:06] I think some folks might hear this and think, OK, there was this hack. It's been patched. It's been fixed. [12:11] So now what? We move on. What, in your view, are the consequences? [12:17] What's the sort of worst case scenario of the information that was obtained? [12:20] You know, people often ask, if data is encrypted, will that be will that always be secure? [12:27] And the answer is yes, unless a country creates a quantum computer that can break encryption. [12:34] When we think about encryption, we think about the virtual equivalent of a locked box. [12:40] If I mail you a locked box, Asma, if you have the private key, if you have the key, you can just unlock it when you get it. [12:46] Well, if I'm sending you a message and I want to do so securely in cyberspace, encryption is the set of math, the key that allows you to unlock that private message. [12:59] And the math underpinning that tells us that those encryption keys are secure. [13:05] Quantum technology is a different kind of technology that could potentially unlock those keys far more quickly than traditional classical computers could. [13:17] We believe that no government has a quantum computer today and that they're probably a decade out as the science is rather complex. [13:26] But one concern the U.S. intelligence community has had is that China has been collecting encrypted information that could be a value even 10 years from now. [13:37] Think about the encrypted details of a weapons program so that if indeed they were able to develop a quantum computer and could decrypt that even 10 years from now, they could learn specific national security secrets. [13:49] That is wild, Dan. Well, on that note, thank you so much for being very generous with your time. I appreciate it. [13:55] It's such a pleasure to be here with you. [13:57] So that's how Salt Typhoon looked from inside the U.S. government. [14:01] But is there anything unusual about it? [14:04] Aren't many countries conducting some form of cyber espionage against each other these days? [14:09] To put Salt Typhoon in context, Asma spoke with Joe Tidy, the BBC's cyber correspondent. [14:16] Joe, what is the simplest way that you would explain what the Salt Typhoon attacks were? [14:23] Yeah. So the Salt Typhoon attacks, they're kind of like it's weird to talk about them in the past tense because arguably they're ongoing. [14:31] It's more like the U.S. discovered that the Chinese were carrying out this absolutely enormous surveillance operation attacking all sorts of different industries, including telecommunications, which is where they got most of the data from. [14:45] And Salt Typhoon was discovered 2024, I think it was. [14:49] And what they what they realized was that actually in some cases, these these sort of like hackers that have been inside the networks have been there for many years. [14:59] And the whole point of this type of cyber activity, this sort of espionage, is that you get into a network, you burrow in deeply and you extract information that could be useful to the Chinese state or, you know, whatever state it is that you're hacking for. [15:13] And you're not meant to get discovered. You're not meant to get caught. [15:16] And of course, they did. And that's what led to an absolutely enormous upheaval of our kind of thinking around what China's capable of and what they're doing. [15:26] Well, I should say, you mentioned it's ongoing. So just to be clear there, these attacks remain, they are persistent. [15:33] No doubt. I think what you what you get when you discover this type of intrusion is that this is what is happening right now. [15:40] Obviously, you know, they were kicked out and the kind of immediate danger is over. [15:45] But that information is gone. And what we what we assume is happening is that this is the kind of playbook that China is running its cyber operations by now. [15:54] Because, of course, if they're capable of it on this scale once, they're doing it again. [15:59] In the scope of cyber hacks, Joe, where does Salt Typhoon rank? [16:04] Certainly it's up there with the most widespread and deep intrusions that we've seen. [16:11] I just think about the amount of data that was stolen in these in these breaches. [16:15] How on earth would would an organisation process all of that information, all that telemetry coming in, all the telco data, all the emails? [16:24] There's a huge amount of data coming in to the Chinese, you know, hacking, hacking team there. [16:29] And I bet they're still picking through it, trying to find intelligence. [16:32] But in terms of like whether we've seen anything similar, I was reading a report on this the other day, which was quite funny because someone described it as China doing a Snowden on America. [16:43] Because, of course, Edward Snowden, very famously the contractor for the NSA, he revealed that there was a massive system of surveillance that America was using on its citizens and the rest of the world called PRISM, which was bringing in an absolute, you know, drag net of information to the security services. [17:02] And that's what that's what it's reminded people of. [17:05] It's sort of there's a sort of irony here where everyone's going crazy about Salt Typhoon and the information they've got when in fact, you know, this is years after America's was revealed to be doing that already. [17:15] So you're saying that the US government could be doing something very similar to other countries. [17:20] Yeah. And often it's it's put put to me that, you know, if they're not, then I want my tax tax dollars back because, you know, this is this is this is what it's all about. [17:28] Protecting a country is about stealing secrets, trying to trying to get ahead of information that's coming out of your adversaries and then preparing for what we don't want. [17:38] We absolutely do not want this, of course, but preparing for some sort of conflict. [17:41] And then cyber is now, we know, a big part of that. [17:44] I went to a briefing with a major cybersecurity CEO, massive company, one of the biggest players. [17:50] And we talked about all the things like Salt Typhoon, Vault Typhoon, all the things that Russia is doing. [17:55] And I put it to him, you know, are we doing this? Is the West doing this? [17:59] And he said, probably. And that's the interesting thing about this sort of conversation is that although we need to take them seriously. [18:06] And if you are a vendor or if you're a company that's meant to be protecting people's data and protecting our critical networks, then obviously, absolutely, you should sit up and pay attention and be concerned about this. [18:19] But at the same time, we have to have that zoom out approach where we realize that just because the West is saying one thing doesn't mean to say that they're not actually doing it themselves. [18:27] We don't really hear about the attacks that the West does on China. We don't hear about the attacks that the West does on Russia, but they are probably happening. [18:35] And I imagine that as the US is the biggest cyber superpower out there, they're probably doing all these things, too. [18:43] So you're saying, Joe, that China isn't the only country running some sort of cyber espionage operations. [18:49] Do you have a sense of what other countries might be doing the United States and what do we know if what China is doing is any different than that? [18:57] Well, I think, well, if you look at, for example, let's say North Korea, for example, North Korea, every country has a cyber based operation center where they do espionage, they do power projection, they do pre positioning for conflict. [19:13] So that is kind of we expect it to be happening. But North Korea is very different. [19:19] And they kind of stand alone in a sense because North Korean cyber actors, state sponsored, we know that they are hacking for money and they are making a huge amount of money. [19:27] They stole one point five billion dollars from a cryptocurrency exchange last year. [19:31] So, you know, they're bringing in they're really affecting the GDP. [19:34] Then you've got the kind of Russian approach, which is very much based around espionage and disruption and destruction. [19:41] Very much based around what the kind of the Kremlin's goals are. [19:45] When it comes to China, you have this everything is we think very controlled. [19:50] Everything comes from the CCP. [19:53] And it's it's a case of, right, what do we need to do to achieve our next our next aims? [19:58] And the kind of the way that China works, we know, is they have these ginormous five year, ten year plans where they want to become, for example, the leaders in AI, the leaders in quantum, whatever it is. [20:08] And we used to see many cases of the Chinese being complicit in hacking and stealing intellectual property. [20:15] Now it seems, of course, if things have moved on and they're carrying out many, many different types of attacks to to to carry out espionage and also to preposition. [20:25] When it comes to the U.S., we get very, very little data on this. [20:30] Interestingly, in terms of what the U.S. is. [20:32] Yes. And the U.K., you know, any NATO. [20:34] But there's this alliance called the Five Eyes Alliance, which is U.K., U.S., Australia, Canada and New Zealand. [20:42] And the kind of things they are doing together or individually, unfortunately, we just don't really hear about because of that that Western cyber security industrial base. [20:53] If they see an attack they think is carried out by the West, they'll just ignore it and we won't hear about it. [21:00] And also we don't really hear much from the Chinese or the Russians about Western. [21:05] About what the West is doing. [21:06] And I think that's a cultural thing. [21:07] It's changing slightly because I've noticed the last few years and I wrote about this recently that China is now starting to call out the West a little bit. [21:16] There was one recently where they discovered a hacking team, which they say is U.S. based, that had got into the the central timekeepers of the Chinese like industry. [21:28] There's some sort of clock that the Chinese industry relies on and the banking sector and like it's kind of like atomic time. [21:36] And they'd found some sort of cyber intrusion there, which they said and they said, you know, we think it's the Americans and they were going to plan to fiddle with this or mess with it or in some way cause disruption. [21:49] As again, it's a pre positioning is the implication there. [21:53] China is always called the U.S. the hacking capital of the world. [21:56] Russia is always accusing the U.S. of doing it. [21:58] But those kind of little insights are very, very rare. [22:01] I would love to know what the West is up to. [22:04] But sadly, I often just don't know. [22:06] Well, our show is about where the world and America meet. [22:11] And so, Joe, it's it's really so fascinating to hear you describe a climate in which we are hearing of cyber warfare, not just happening, you're saying from the Chinese, but clearly the Americans as well. [22:25] And it sounds like you're saying we don't have a clear sense then of which country is on top, because that's what what I wanted to ask you is as we move into an era where U.S. dominance is increasingly being challenged, the United States is not the sole superpower of the world. [22:40] Do you have a sense of which country has the upper hand in cyber surveillance, cyber warfare at this moment? [22:47] Well, the handily, there's a couple of universities that carry out quite regular assessments of this. [22:53] So there's the Belfer Institute and there's the International Institute for Strategic Studies as well. [22:58] And they have different metrics and different parameters for how they assess the cyber superpowers. [23:04] But so, for example, they'll go on. [23:06] What is the defense like in that country? [23:08] What is the surveillance state like? [23:10] What are the attack capabilities? [23:12] Both of them put U.S. at the top, both those different researchers independently of each other. [23:18] In fact, I think it's the International Institute for Strategic Studies. [23:23] They put America at the top as the only tier one capable actor out there. [23:28] Everyone else is tier two, tier three or not even on the list. [23:31] So they say America is way ahead in terms of as a cyber superpower. [23:35] Whereas the other university puts them as a sort of ahead of, but not that far away from what China is capable of. [23:43] They say the Belfer Center at Harvard University. [23:46] That's the one. Yeah. Yeah. [23:47] Okay. [23:48] So these researchers will both agree that America is the world's cyber superpower in all respects, [23:56] because of the little hints that we have had and things that we think they can do. [23:59] And I think what's interesting is the last sort of six months or so, [24:03] we have seen some more little insights into what America is capable of with the attack on Venezuela and the attack on Iran. [24:11] Only now we are starting to hear a little bit more because there's a lot of fog of war and all that stuff. [24:16] But we're starting to wonder whether or not and perhaps even confirm that cyber was used in both those attacks as a way to soften targets or kind of lay the groundwork for a conventional physical attack. [24:30] So I think those those little insights that we have may further help our understanding of who is kind of on top or not. [24:38] But certainly America seems to be ahead. [24:40] Well, Joe, it's been a pleasure speaking with you. Thanks so much. [24:44] Thank you. That was Joe Tidy, the BBC cyber correspondent. [24:48] And before that, Asma was talking to Anne Neuberger, former deputy national security adviser for cyber security under Joe Biden. [24:56] And that's it for today's episode. The Global Story is also a podcast. [25:00] We're available every weekday on bbc.com or wherever you listen. [25:05] Thanks for tuning in for this one. We'll see you next time. Cheerio.