To his American friends and contacts, Stephen Su was an affable businessman and gregarious guy.
“People liked him,” Bob Anderson, the FBI’s former head of counterintelligence, told me. “They didn’t think he was an asshole and I know that sounds stupid, but people are people and that’s how it started.”
Stephen Su, who also went by his Chinese name Su Bin, lived in his native China but traveled frequently to the United States and Canada, to build a business in the aviation and aerospace sectors. His company, Lode-Tech, was a small player in a field of giants. It focused on manufacturing aircraft cable harnesses, a product safely at the low-tech end of the military aircraft sector. However, over the course of some five years, from 2009 to 2014, Su steadily and deliberately built a network of close business contacts inside far bigger U.S. and Canadian defense contractors with some of the most sensitive U.S. military contracts. As Anderson explained, Su made it a point to get to know the people who had access to those technologies, or people who knew the people who had such access, and “getting them to trust him.”
His contacts described Su as an ideal partner, intent on making deals that benefited not only himself but also his American and Canadian counterparts. He was all about business, but he was also good company. Over the years, he enjoyed dozens of expensive dinners over wine at some of the best restaurants in Seattle, Vancouver, and Los Angeles.
“So, he cultivates you so over time,” Anderson recalled. “First, you’re just buddies and then after that, ‘What are you working on? What are you doing? Boy, that’s really interesting.’ Then, in a lot of these cases he’ll talk about, ‘Well, you know, there’s a great way that we can make money at this.’ Or ‘There’s a great way that me and you could become partners with different individuals I know that would want access to information like this.’”
The information Su was most interested in related to three of the most advanced U.S. military aircraft ever built, the Lockheed Martin F-35 and F-22 stealth fighters and the Boeing C-17 Globemaster transport aircraft. Though they were the products of two of the Pentagon’s biggest military contractors, each drew on thousands of components sourced from dozens of smaller suppliers. That supply chain provided numerous ins for Su—as well as a convenient explanation for any partners who grew concerned about the kind of information he was looking for.
“Su would say, ‘I’m not asking you to give me the F-35, but what’s it matter if I get one system out of it that we could sell to a friend or a perspective client?’” said Anderson. “And then go from there, and it takes time.”
Unbeknownst to his contacts, Su wasn’t working alone. In fact, he was part of a three-person, cross-border team, with Su in North America, and his two partners—identified in the FBI’s 2014 criminal complaint only as “uncharged co-conspirator 1” and “uncharged co-conspirator 2”—from mainland China. According to the FBI, Su would identify valuable computer files inside the target companies, then transmit that information to partners in China, who would hack their way into the target companies’ computer systems to steal the identified files. The team would then sell the stolen files to interested parties in China, namely state-owned enterprises in the military sector. As the criminal complaint noted, they did so not only at the behest of the Chinese government but also “for their personal profit.” This was espionage for both country and their bank accounts.
Emails later obtained by the FBI showed that their modus operandi was simple and efficient. The team came together for the first time in the summer of 2009, when Su sent the first emails to his co-conspirators identifying potential targets inside the United States. In an email dated August 6, 2009, Su attached a password-protected Excel spreadsheet containing the email addresses, telephone numbers, and positions of some eighty engineers and other personnel working on a new military project. Su’s tradecraft could be low-tech, even clumsy. The subject line for the August 6 email was “My Cell Phone Number,” which the FBI later discovered indicated that the password for the protected Excel file was simply the number for Su’s cell phone.
“The Chinese hackers’ next step resembled methods used by Russian hackers to penetrate the Democratic Party during the 2016 U.S. presidential election.”
Four months later, on December 14, 2009, Su sent a similar email, this time with the subject line “Target,” listing the names and positions of four other executives, including the president and vice presidents of a company that manufactured weapons control and electronic warfare systems for the U.S. military. Later FBI analysis would determine that the divisions identified in those early emails matched targets later hacked by Su’s team.
The hackers’ next step resembled methods used by Russian hackers to penetrate the Democratic Party during the 2016 U.S. presidential election. The hackers sent so-called phishing emails to employees of the target company designed, as the FBI explained, “to appear as if it came from a colleague or legitimate business contact.” If the recipient clicked on a link contained in the email, or opened a document attachment, an “outbound connection” would be established between the victim’s computer and another in China under the hackers’ control. The hackers would then install malware on the victim’s computer, allowing them to control the computer remotely and—more alarmingly—explore the company’s entire network.
Su and his team took careful steps to conceal the origin of their cyber intrusion. To do so, the hackers’ outbound connection from the target company would be routed through a series of servers in a number of different countries around the world. These “hop points,” as they are known, would obscure who was doing the hacking and where they were operating from—if and when the hackers were discovered.
As they wrote in a 2013 internal report obtained by the FBI, “In order to avoid diplomatic and legal complications, surveillance work and intelligence collection are done outside China. The collected intelligence will be sent first by an intelligence officer via a preordered temporary server placed outside China or via a jump server which is placed in a third country before it finally gets to the surrounding regions/areas or a work station located in Hong Kong or Macao.”
The final step in their theft—that is, the final “hop” back to their clients in mainland China—did not go over computer networks at all. Su and his partners set up what they referred to as “machine rooms” in Hong Kong and Macao where the stolen intelligence would be collected and then carried across the border into China by hand.
“The intelligence is always picked up and transferred to China in person,” they wrote in a 2013 email.
As it turns out, Su and his partners would have unfettered access inside Boeing’s network for three years before the intrusion was first discovered. During that time, they would claim to have stolen some 630,000 digital files—totaling a gargantuan 65 gigabytes of data—on the C-17 alone. They stole tens of thousands more files on the F-22 and F-35.
Su Bin’s team, while enormously successful, was just one small part of a massive army of Chinese hackers dedicated to stealing America’s most sensitive government and private sector secrets. Over the last two decades, China has built an enormous infrastructure charged with cyber espionage. The Office of the U.S. Trade Representative estimates that the United States loses up to $600 billion per year in intellectual property. Since it deems China “the world’s principal IP infringer,” the USTR believes China may be responsible for the bulk of those losses.
“One senior U.S. law enforcement official described China’s espionage apparatus to me as akin to a ‘tapeworm,’ feeding off tens of thousands of U.S. institutions and individuals.”
The theft of U.S. secrets is one of the most insidious fronts of the Shadow War: constant, deeply damaging to national security, and happening in plain sight. During my time as chief of staff at the U.S. embassy in Beijing, U.S. firms—though aware of the theft—often refused to ask for government help, or even to identify cyber breaches, for fear of alienating their Chinese partners or losing access to the Chinese market altogether. In fact, China’s strategy relies on—and cultivates—that fear.
One senior U.S. law enforcement official described China’s espionage apparatus to me as akin to a “tapeworm,” feeding off tens of thousands of U.S. institutions and individuals, to siphon away America’s most treasured asset: its ingenuity. Beijing’s goal is nothing short of surpassing the United States as the world’s most powerful and most technologically advanced superpower. Chinese leaders would prefer to do so peacefully, but if there is a war, they want to level the battlefield.
This is not simply conjecture. It is reflected in the rhetoric of the highest levels of Chinese leadership. President Xi Jinping envisions China at the forefront of innovation by 2035 and, beyond this, as a leading global power by 2050. Noble goals to be realized, but ones that the leadership has shown it believes will necessitate some leapfrogging—and even cyber espionage—along the way.
“This is about world domination and when or if there has to be a conflict—and unfortunately there probably will be one—they want to be mano a mano, if not better than the U.S., and that’s what they’ve set their sights on for the last thirty or forty years,” Anderson explained.
Cyber espionage may seem like a softer, less bloody front of the Shadow War. However, Anderson says that Chinese security services operate as brutally in cyberspace as on any other battlefield.
“The Chinese are more vicious than the Russians,” Anderson told me, pausing to make sure I was listening. “They will kill people at the drop of a hat. They will kill families at the drop of a hat. They will do it much more quietly inside of China or in one of their territories, but they absolutely—if they have to—will be a very vicious service.”
Excerpted from The Shadow War by Jim Sciutto. Copyright 2019 by Jim Sciutto. Published with permission from Harper Books and HarperCollins Publishers.
Jim Sciutto is CNN’s chief national security correspondent and anchor of CNN Newsroom. After more than two decades as a foreign correspondent stationed in Asia, Europe, and the Middle East, he returned to Washington to cover the Defense Department, the State Department, and intelligence agencies for CNN. His work has earned him Emmy Awards, the George Polk Award, the Edward R. Murrow award, and the Merriman Smith Memorial Award for excellence in presidential coverage. A graduate of Yale and a Fulbright Fellow, he lives in Washington, D.C., with his wife, Gloria Riviera, who is a journalist for ABC News, and their three children.