Chinese hackers who breached Google gained access to sensitive data, U.S. officials say
By Ellen Nakashima,
Chinese hackers who breached Google’s servers several years ago gained access to a sensitive database with years’ worth of information about U.S. surveillance targets, according to current and former government officials.
The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies.
It’s unclear how much the hackers were able to discover. But former U.S. officials familiar with the breach said the Chinese stood to gain valuable intelligence. The database included information about court orders authorizing surveillance — orders that could have signaled active espionage investigations into Chinese agents who maintained e-mail accounts through Google’s Gmail service.
“Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,” said one former official, who, like others interviewed for this article, spoke on the condition of anonymity to discuss a highly sensitive matter. The official said the Chinese could also have sought to deceive U.S. intelligence officials by conveying false or misleading information.
Although Google disclosed an intrusion by Chinese hackers in 2010, it made no reference to the breach of the database with information on court orders. That breach prompted deep concerns in Washington and led to a heated, months-long dispute between Google and the FBI and Justice Department over whether the FBI could access technical logs and other information about the breach, according to the officials.
Google declined to comment for this article, as did the FBI.
Last month, a senior Microsoft official suggested that Chinese hackers had targeted the company’s servers about the same time that Google’s system was compromised. The official said Microsoft concluded that whoever was behind the breach was seeking to identify accounts that had been tagged for surveillance by U.S. national security and law enforcement agencies.
“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” David W. Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, said at a conference near Washington, according to a recording of his remarks.
“If you think about this, this is brilliant counterintelligence,” he said in the address, which was first reported by the online magazine CIO.com. “You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case.”
Microsoft now disputes that its servers had been compromised as part of the cyberespionage campaign that targeted Google and about 20 other companies. Aucsmith, who cited that campaign in his remarks, said in a statement to The Washington Post that his comments were “not meant to cite any specific Microsoft analysis or findings about motive or attacks.”
The U.S. government has been concerned about Chinese hacking since at least the early 2000s, when network intrusions were discovered at U.S. energy labs and defense contractors. The FBI has for years led a national security investigation into Chinese cyberespionage, some of which has been linked to the Chinese military.
The Chinese, according to government, academic and industry analysts, have stolen massive volumes of data from companies in sectors including defense, technology, aerospace, and oil and gas. Gen. Keith B. Alexander, the director of the National Security Agency, has referred to the theft of proprietary data as the “greatest transfer of wealth in history.”
The Chinese emphatically deny that they are engaged in hacking into U.S. computer systems and have said that many intrusions into their own networks emanate from servers in the United States.
“The Chinese government prohibits online criminal offenses of all forms, including cyber attack and cyber espionage, and has done what it can to combat such activities in accordance with Chinese laws,” a Chinese Embassy spokesman, Yuan Gao, said in an e-mail. “We’ve heard all kinds of allegations but have not seen any hard evidence or proof.”
Experts said an elaborate network of interconnected routers and servers can make the Internet tailor-made for the shadowy work of spying and counterspying. It stands to reason, they said, that adversaries would be interested in finding vulnerabilities in the networks of the companies that authorize surveillance on behalf of the government.
“It is an absolute rule of thumb that the best counterintelligence tool isn’t defensive — it’s offensive. It’s penetrating the other service,” said Michael V. Hayden, a former director of the National Security Agency and the CIA, who said he had no knowledge of the incidents. Hacking into a surveillance database, he said, “is a form of that.”
Google’s crisis began in December 2009, when, several former government officials said, the firm discovered that Chinese hackers had penetrated its corporate networks through “spear phishing” — a technique in which an employee was effectively deceived into clicking a bogus link that downloads a malicious program. The hackers had been rooting around insider Google’s servers for at least a year.
Alarmed by the scope and audacity of the breach, the company went public with the news in January 2010, becoming the first U.S. firm to voluntarily disclose an intrusion that originated in China. In a blog post, Google chief legal officer David Drummond said hackers stole the source code that powers Google’s vaunted search engine and also targeted the e-mail accounts of activists critical of China’s human rights abuses.
As Google was responding to the breach, its technicians made another startling discovery: its database with years of information on surveillance orders had been hacked. The database included information on thousands of orders issued by judges around the country to law enforcement agents seeking to monitor suspects’ e-mails.
The most sensitive orders, however, came from a federal court that approves surveillance of foreign targets such as spies, diplomats, suspected terrorists and agents of other governments. Those orders, issued under the Foreign Intelligence Surveillance Act, are classified.
Google did not disclose that breach publicly, but soon after detecting it, the company alerted the FBI, former officials said. Bureau officials told FBI Director Robert S. Mueller III, who briefed President Obama.
At one point, an FBI supervisory agent working on Chinese cyberespionage cases traveled to Google’s Mountain View, Calif., headquarters to conduct a national security investigation, the former officials said. The company, without any guarantees about the scope of the investigation, denied access.
The bureau undertook an extensive assessment to include determining whether individuals under surveillance had moved to other means of communication. Although the assessment showed no damage to national security because of the breach, Google took steps to shield sensitive data.
Michael M. DuBose, former chief of the Justice Department’s Computer Crime and Intellectual Property Section, declined to comment on either the Microsoft or Google cases. But, he said, in general such intrusions serve as “a wake-up call for the government that the overall security and effectiveness of lawful interception and undercover operations is dependent in large part on security standards in the private sector.
“Those,” he said, “clearly need strengthening.”