Nicole Perlroth

Additional thanks to Hannah Pedersen, Sam DeBauer, and Amy Machado. Editing and sound design by Morgan Foose and Carter Wogan.

Additional thanks to Hannah Pedersen, Sam DeBauer, and Amy Machado. Editing and sound design by Morgan Foose and Carter Wogan.

For 18 months, a fragile calm descended on our digital borders. The CCP's hackers seemed to have just hung up their hats. And for a time, that giant whooshing noise of American IP being sucked back to China just stopped. All was quiet on the Eastern Front. Or so we thought.

For 18 months, a fragile calm descended on our digital borders. The CCP's hackers seemed to have just hung up their hats. And for a time, that giant whooshing noise of American IP being sucked back to China just stopped. All was quiet on the Eastern Front. Or so we thought.

In retrospect, it appears the PRC carefully studied the Snowden documents, got a look at the NSA's signals intelligence, and asked, how do we get that? Within months of the first leaks, Xi set up a standing cyber committee, one of a handful of committees that operates at the highest levels of the Chinese Communist Party.

In retrospect, it appears the PRC carefully studied the Snowden documents, got a look at the NSA's signals intelligence, and asked, how do we get that? Within months of the first leaks, Xi set up a standing cyber committee, one of a handful of committees that operates at the highest levels of the Chinese Communist Party.

Looking back now, it seems he charged it with mirroring and innovating upon the way the U.S. conducts its cyber operations. During its digital ceasefire, the PRC was actually busy consolidating disparate PLA hacking units under a new strategic support force, very similar to the Pentagon's own Cyber Command.

Looking back now, it seems he charged it with mirroring and innovating upon the way the U.S. conducts its cyber operations. During its digital ceasefire, the PRC was actually busy consolidating disparate PLA hacking units under a new strategic support force, very similar to the Pentagon's own Cyber Command.

It moved responsibility for the country's most sensitive operations away from the smash-and-grab PLA to the stealthier and far more strategic Ministry of State Security, or MSS. Think of the MSS as a sort of combination of the FBI and NSA. It conducts espionage at home and abroad. But unlike the NSA, the MSS outsourced its sensitive operations to elite Chinese hackers all over the country.

It moved responsibility for the country's most sensitive operations away from the smash-and-grab PLA to the stealthier and far more strategic Ministry of State Security, or MSS. Think of the MSS as a sort of combination of the FBI and NSA. It conducts espionage at home and abroad. But unlike the NSA, the MSS outsourced its sensitive operations to elite Chinese hackers all over the country.

It set up front companies that usually marketed themselves as cybersecurity firms. But in reality, their only job was to carry out clandestine attacks for the MSS. In other cases, they paid or forcefully encouraged individual gunslingers, think top engineers at China's most successful tech companies or students at its universities, to hack the world's most valuable targets.

It set up front companies that usually marketed themselves as cybersecurity firms. But in reality, their only job was to carry out clandestine attacks for the MSS. In other cases, they paid or forcefully encouraged individual gunslingers, think top engineers at China's most successful tech companies or students at its universities, to hack the world's most valuable targets.

This infusion of new blood, new talent into the hacking pool meant more than just a shift in the chain of command. It meant a radical advance in skill and tactics. I'm Nicole Perleroth, and this is To Catch a Thief. These hackers were no longer blasting into the building and announcing their presence. Here's John Holquist, Mandiant's chief analyst.

This infusion of new blood, new talent into the hacking pool meant more than just a shift in the chain of command. It meant a radical advance in skill and tactics. I'm Nicole Perleroth, and this is To Catch a Thief. These hackers were no longer blasting into the building and announcing their presence. Here's John Holquist, Mandiant's chief analyst.

Before 2015, attributing Chinese APTs by their attack style, whether phishing tactics or their malware, was a fairly straightforward practice. Rarely would you see a Chinese APT deploy advanced techniques or custom code. They barely tried to hide their tracks. By late 2016, it was a different story. Here's Kevin Mandia.

Before 2015, attributing Chinese APTs by their attack style, whether phishing tactics or their malware, was a fairly straightforward practice. Rarely would you see a Chinese APT deploy advanced techniques or custom code. They barely tried to hide their tracks. By late 2016, it was a different story. Here's Kevin Mandia.

The first sign the game had changed is when I started getting tips about a spate of Chinese intrusions at aviation and aerospace companies in late 2016. Hackers weren't coming in the usual ways anymore. Instead of hacking their targets head-on, they were slipping in through a side door. They'd hacked the service providers that companies hire to manage their backend IT systems.

The first sign the game had changed is when I started getting tips about a spate of Chinese intrusions at aviation and aerospace companies in late 2016. Hackers weren't coming in the usual ways anymore. Instead of hacking their targets head-on, they were slipping in through a side door. They'd hacked the service providers that companies hire to manage their backend IT systems.

In industry parlance, these companies are known as MSPs, managed service providers. Breach one, and you get entry to potentially thousands of their customers. Some of these MSPs had names you've never heard of, but others, like IBM, you would definitely know. And the Chinese hackers doing this, they weren't one group working from one drab PLA building anymore.

In industry parlance, these companies are known as MSPs, managed service providers. Breach one, and you get entry to potentially thousands of their customers. Some of these MSPs had names you've never heard of, but others, like IBM, you would definitely know. And the Chinese hackers doing this, they weren't one group working from one drab PLA building anymore.