[ISN] The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)

InfoSec News isn at c4i.org
Mon Aug 29 14:07:49 EDT 2005

Forwarded from: William Knowles <wk at c4i.org>


August 29, 2005

It was another routine night for Shawn Carpenter. After a long day 
analyzing computer-network security for Sandia National Laboratories, 
where much of the U.S. nuclear arsenal is designed, Carpenter, 36, 
retreated to his ranch house in the hills overlooking Albuquerque, 
N.M., for a quick dinner and an early bedtime. He set his alarm for 2 
a.m. Waking in the dark, he took a thermos of coffee and a pack of 
Nicorette gum to the cluster of computer terminals in his home office. 
As he had almost every night for the previous four months, he worked 
at his secret volunteer job until dawn, not as Shawn Carpenter, 
mid-level analyst, but as Spiderman--the apt nickname his 
military-intelligence handlers gave him--tirelessly pursuing a group 
of suspected Chinese cyberspies all over the world. Inside the 
machines, on a mission he believed the U.S. government supported, he 
clung unseen to the walls of their chat rooms and servers, secretly 
recording every move the snoopers made, passing the information to the 
Army and later to the FBI.

The hackers he was stalking, part of a cyberespionage ring that 
federal investigators code-named Titan Rain, first caught Carpenter's 
eye a year earlier when he helped investigate a network break-in at 
Lockheed Martin in September 2003. A strikingly similar attack hit 
Sandia several months later, but it wasn't until Carpenter compared 
notes with a counterpart in Army cyberintelligence that he suspected 
the scope of the threat. Methodical and voracious, these hackers 
wanted all the files they could find, and they were getting them by 
penetrating secure computer networks at the country's most sensitive 
military bases, defense contractors and aerospace companies.

Carpenter had never seen hackers work so quickly, with such a sense of 
purpose. They would commandeer a hidden section of a hard drive, zip 
up as many files as possible and immediately transmit the data to way 
stations in South Korea, Hong Kong or Taiwan before sending them to 
mainland China. They always made a silent escape, wiping their 
electronic fingerprints clean and leaving behind an almost 
undetectable beacon allowing them to re-enter the machine at will. An 
entire attack took 10 to 30 minutes. "Most hackers, if they actually 
get into a government network, get excited and make mistakes," says 
Carpenter. "Not these guys. They never hit a wrong key."

Goaded by curiosity and a sense that he could help the U.S. defend 
itself against a new breed of enemy, Carpenter gave chase to the 
attackers. He hopped just as stealthily from computer to computer 
across the globe, chasing the spies as they hijacked a web of 
far-flung computers. Eventually he followed the trail to its apparent 
end, in the southern Chinese province of Guangdong. He found that the 
attacks emanated from just three Chinese routers that acted as the 
first connection point from a local network to the Internet.

It was a stunning breakthrough. In the world of cyberspying, locating 
the attackers' country of origin is rare. China, in particular, is 
known for having poorly defended servers that outsiders from around 
the world commandeer as their unwitting launchpads. Now Chinese 
computers appeared to be the aggressors.

If so, the implications for U.S. security are disturbing. In recent 
years, the counterintelligence community has grown increasingly 
anxious that Chinese spies are poking into all sorts of American 
technology to compete with the U.S. But tracking virtual enemies 
presents a different kind of challenge to U.S. spy hunters. Foreign 
hackers invade a secure network with a flick of a wrist, but if the 
feds want to track them back and shut them down, they have to go 
through a cumbersome authorization process that can be as tough as 
sending covert agents into foreign lands. Adding in extreme 
sensitivity to anything involving possible Chinese espionage--remember 
the debacle over alleged Los Alamos spy Wen Ho Lee?--and the fear of 
igniting an international incident, it's not surprising the U.S. has 
found it difficult and delicate to crack these cases.

In Washington, officials are tight-lipped about Titan Rain, insisting 
all details of the case are classified. But high-level officials at 
three agencies told TIME the penetration is considered serious. A 
federal law-enforcement official familiar with the investigation says 
the FBI is "aggressively" pursuing the possibility that the Chinese 
government is behind the attacks. Yet they all caution that they don't 
yet know whether the spying is official, a private-sector job or the 
work of many independent, unrelated hands. The law-enforcement source 
says China has not been cooperating with U.S. investigations of Titan 
Rain. China's State Council Information Office, speaking for the 
government, told TIME the charges about cyberspying and Titan Rain are 
"totally groundless, irresponsible and unworthy of refute."

Despite the official U.S. silence, several government analysts who 
protect the networks at military, nuclear-lab and defense- contractor 
facilities tell TIME that Titan Rain is thought to rank among the most 
pervasive cyberespionage threats that U.S. computer networks have ever 
faced. TIME has obtained documents showing that since 2003, the 
hackers, eager to access American know-how, have compromised secure 
networks ranging from the Redstone Arsenal military base to NASA to 
the World Bank. In one case, the hackers stole flight-planning 
software from the Army. So far, the files they have vacuumed up are 
not classified secrets, but many are sensitive and subject to strict 
export-control laws, which means they are strategically important 
enough to require U.S. government licenses for foreign use.

Beyond worries about the sheer quantity of stolen data, a Department 
of Defense (DOD) alert obtained by TIME raises the concern that Titan 
Rain could be a point patrol for more serious assaults that could shut 
down or even take over a number of U.S. military networks. Although he 
would not comment on Titan Rain specifically, Pentagon spokesman Bryan 
Whitman says any attacks on military computers are a concern. "When we 
have breaches of our networks, it puts lives at stake," he says. "We 
take it very seriously."

As cyberspying metastasizes, frustrated network protectors say that 
the FBI in particular doesn't have enough top-notch computer gumshoes 
to track down the foreign rings and that their hands are often tied by 
the strict rules of engagement. That's where independents--some call 
them vigilantes--like Carpenter come in. After he made his first 
discoveries about Titan Rain in March 2004, he began taking the 
information to unofficial contacts he had in Army intelligence. 
Federal rules prohibit military-intelligence officers from working 
with U.S. civilians, however, and by October, the Army passed 
Carpenter and his late-night operation to the FBI. He says he was a 
confidential informant for the FBI for the next five months. Reports 
from his cybersurveillance eventually reached the highest levels of 
the bureau's counterintelligence division, which says his work was 
folded into an existing task force on the attacks. But his FBI 
connection didn't help when his employers at Sandia found out what he 
was doing. They fired him and stripped him of his Q clearance, the 
Department of Energy equivalent of top-secret clearance. Carpenter's 
after-hours sleuthing, they said, was an inappropriate use of 
confidential information he had gathered at his day job. Under U.S. 
law, it is illegal for Americans to hack into foreign computers.

Carpenter is speaking out about his case, he says, not just because he 
feels personally maligned--although he filed suit in New Mexico last 
week for defamation and wrongful termination. The FBI has acknowledged 
working with him: evidence collected by TIME shows that FBI agents 
repeatedly assured him he was providing important information to them. 
Less clear is whether he was sleuthing with the tacit consent of the 
government or operating as a rogue hacker. At the same time, the 
bureau was also investigating his actions before ultimately deciding 
not to prosecute him. The FBI would not tell TIME exactly what, if 
anything, it thought Carpenter had done wrong. Federal 
cyberintelligence agents use information from freelance sources like 
Carpenter at times but are also extremely leery about doing so, afraid 
that the independent trackers may jeopardize investigations by 
trailing foes too noisily or, even worse, may be bad guys themselves. 
When Carpenter deputized himself to delve into the Titan Rain group, 
he put his career in jeopardy. But he remains defiant, saying he's a 
whistle-blower whose case demonstrates the need for reforms that would 
enable the U.S. to respond more effectively and forcefully against the 
gathering storm of cyberthreats.

A TIME investigation into the case reveals how the Titan Rain attacks 
were uncovered, why they are considered a significant threat now under 
investigation by the Pentagon, the FBI and the Department of Homeland 
Security and why the U.S. government has yet to stop them.

Carpenter thought he was making progress. When he uncovered the Titan 
Rain routers in Guangdong, he carefully installed a homemade bugging 
code in the primary router's software. It sent him an e-mail alert at 
an anonymous Yahoo! account every time the gang made a move on the 
Net. Within two weeks, his Yahoo! account was filled with almost 
23,000 messages, one for each connection the Titan Rain router made in 
its quest for files. He estimates there were six to 10 workstations 
behind each of the three routers, staffed around the clock. The gang 
stashed its stolen files in zombie servers in South Korea, for 
example, before sending them back to Guangdong. In one, Carpenter 
found a stockpile of aerospace documents with hundreds of detailed 
schematics about propulsion systems, solar paneling and fuel tanks for 
the Mars Reconnaissance Orbiter, the NASA probe launched in August. On 
the night he woke at 2, Carpenter copied a huge collection of files 
that had been stolen from Redstone Arsenal, home to the Army Aviation 
and Missile Command. The attackers had grabbed specs for the 
aviation-mission-planning system for Army helicopters, as well as 
Falconview 3.2, the flight-planning software used by the Army and Air 

Even if official Washington is not certain, Carpenter and other 
network-security analysts believe that the attacks are Chinese 
government spying. "It's a hard thing to prove," says a 
network-intrusion-detection analyst at a major U.S. defense contractor 
who has been studying Titan Rain since 2003, "but this has been going 
on so long and it's so well organized that the whole thing is state 
sponsored, I think." When it comes to advancing their military by 
stealing data, "the Chinese are more aggressive" than anyone else, 
David Szady, head of the FBI's counterintelligence unit, told TIME 
earlier this year. "If they can steal it and do it in five years, why 
[take longer] to develop it?"

Within the U.S. military, Titan Rain is raising alarms. A November 
2003 government alert obtained by TIME details what a source close to 
the investigation says was an early indication of Titan Rain's ability 
to cause widespread havoc. Hundreds of Defense Department computer 
systems had been penetrated by an insidious program known as a 
"trojan," the alert warned. "These compromises ... allow an unknown 
adversary not only control over the DOD hosts, but also the capability 
to use the DOD hosts in malicious activity. The potential also exists 
for the perpetrator to potentially shut down each host." The attacks 
were also stinging allies, including Britain, Canada, Australia and 
New Zealand, where an unprecedented string of public alerts issued in 
June 2005, two U.S. network-intrusion analysts tell TIME, also 
referred to Titan Rain--related activity. "These electronic attacks 
have been under way for a significant period of time, with a recent 
increase in sophistication," warned Britain's National Infrastructure 
Security Co-Ordination Center.

Titan Rain presents a severe test for the patchwork of agencies 
digging into the problem. Both the cybercrime and counterintelligence 
divisions of the FBI are investigating, the law-enforcement source 
tells TIME. But while the FBI has a solid track record cajoling 
foreign governments into cooperating in catching garden-variety 
hackers, the source says that China is not cooperating with the U.S. 
on Titan Rain. The FBI would need high-level diplomatic and Department 
of Justice authorization to do what Carpenter did in sneaking into 
foreign computers. The military would have more flexibility in hacking 
back against the Chinese, says a former high-ranking Administration 
official, under a protocol called "preparation of the battlefield." 
But if any U.S. agency got caught, it could spark an international 

That's why Carpenter felt he could be useful to the FBI. Frustrated in 
gathering cyberinfo, some agencies have in the past turned a blind eye 
to free-lancers--or even encouraged them--to do the job. After he 
hooked up with the FBI, Carpenter was assured by the agents assigned 
to him that he had done important and justified work in tracking Titan 
Rain attackers. Within a couple of weeks, FBI agents asked him to stop 
sleuthing while they got more authorization, but they still showered 
him with praise over the next four months as he fed them technical 
analyses of what he had found earlier. "This could very well impact 
national security at the highest levels," Albuquerque field agent 
Christine Paz told him during one of their many information-gathering 
sessions in Carpenter's home. His other main FBI contact, special 
agent David Raymond, chimed in: "You're very important to us," Raymond 
said. "I've got eight open cases throughout the United States that 
your information is going to. And that's a lot." And in a letter 
obtained by TIME, the FBI's Szady responded to a Senate investigator's 
inquiry about Carpenter, saying, "The [FBI] is aggressively pursuing 
the investigative leads provided by Mr. Carpenter."

Given such assurances, Carpenter was surprised when, in March 2005, 
his FBI handlers stopped communicating with him altogether. Now the 
federal law-enforcement source tells TIME that the bureau was actually 
investigating Carpenter while it was working with him. Agents are 
supposed to check out their informants, and intruding into foreign 
computers is illegal, regardless of intent. But two sources familiar 
with Carpenter's story say there is a gray area in cybersecurity, and 
Carpenter apparently felt he had been unofficially encouraged by the 
military and, at least initially, by the FBI. Although the U.S. 
Attorney declined to pursue charges against him, Carpenter feels 
betrayed. "It's just ridiculous. I was tracking real bad guys," he 
says. "But they are so afraid of taking risks that they wasted all 
this time investigating me instead of going after Titan Rain." Worse, 
he adds, they never asked for the passwords and other tools that could 
enable them to pick up the investigative trail at the Guangdong 

Carpenter was even more dismayed to find that his work with the FBI 
had got him in trouble at Sandia. He says that when he first started 
tracking Titan Rain to chase down Sandia's attackers, he told his 
superiors that he thought he should share his findings with the Army, 
since it had been repeatedly hit by Titan Rain as well. A March 2004 
Sandia memo that Carpenter gave TIME shows that he and his colleagues 
had been told to think like "World Class Hackers" and to retrieve 
tools that other attackers had used against Sandia. That's why 
Carpenter did not expect the answer he claims he got from his bosses 
in response to Titan Rain: Not only should he not be trailing Titan 
Rain but he was also expressly forbidden to share what he had learned 
with anyone.

As a Navy veteran whose wife is a major in the Army Reserve, Carpenter 
felt he could not accept that injunction. After several weeks of angry 
meetings--including one in which Carpenter says Sandia 
counterintelligence chief Bruce Held fumed that Carpenter should have 
been "decapitated" or "at least left my office bloody" for having 
disobeyed his bosses--he was fired. Citing Carpenter's civil lawsuit, 
Sandia was reluctant to discuss specifics but responded to TIME with a 
statement: "Sandia does its work in the national interest lawfully. 
When people step beyond clear boundaries in a national security 
setting, there are consequences."

Carpenter says he has honored the FBI's request to stop following the 
attackers. But he can't get Titan Rain out of his mind. Although he 
was recently hired as a network-security analyst for another federal 
contractor and his security clearance has been restored, "I'm not 
sleeping well," he says. "I know the Titan Rain group is out there 
working, now more than ever." --With reporting by Matthew 
Forney/Beijing and Brian Bennett, Timothy J. Burger and Elaine 
Copyright © 2005 Time Inc. All rights reserved.

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list