[♪ lively music ♪] [Narrator] In the mid-'50s, toy trains weren't
something you got into because you wanted
to change the world. It was a sleepy hobby
for painting cars and carefully positioning trees. Until someone came along
and saw model trains for what they
really are, a network. A group of bored
computer science students started a tech
model railroad club and changed everything. [♪ upbeat rock music ♪] The gang broke into the
college's mainframe. They soldered in phone lines to control trains independently. [train whistling] Where most saw a dorky hobby, they saw the potential
to derail a whole system. [trains crashing
and exploding] They even wrote a dictionary
to define what they were doing, applying ingenuity to
create clever results, or as they called it, "Hacking."
[typewriter dinging] [♪ upbeat rock music ♪] And just like that, the world's first computer
hackers were born. [♪ rhythmic beat ♪] [train whistling] [train chugging] [♪ upbeat music ♪] [buttons beeping] [whooshing sound] [Narrator] The years passed and hackers found
their home on the personal computer. There they
rediscovered the thing that they knew best, networks. Nothing had changed. They were still testing
what their toys could do. Only now networks had
become central to our lives. Banking. Transport. Agriculture. Governments. Suddenly, hackers had the power to derail much more
than toy trains. [♪ dramatic music ♪,
text whirring] Some used that power
for their own gains. Heavily funded nation
states waged war, criminal gangs stole millions and then, they came for people. The data of billions of users who rely on the internet
to live their daily lives. And who could stop them? The only ones who
understood the internet like the attackers. [keys typing]
The hackers. Those who were
breaking the system in order to make it safer, the ones who saw the
system for what it was, a network worth protecting. [♪ anthemic music ♪] When it's your job to keep
billions of people safe online, you have to live and
breathe and see the internet just like the attackers do because the only way
to stop a hacker is to think like one. [footsteps clacking] [♪ ‘The Wheel’ by SOHN ♪] [silence] [Heather] This is
not weird at all. [Director laughs] [Director] Just another
day at the office. [Heather laughs] [Heather] My name
is Heather Adkins. I'm a VP of Security
Engineering at Google. When I have to tell
people what I do for work, it's really difficult. It's really complicated. So I usually just tell them that I keep the
hackers out of Google. And I think most people
understand what that means. [door clicking] [Narrator] Heather
has filled just about every security role
imaginable at Google, leading teams on the front lines
of every major cyber attack against the company
and its users. If you've heard of it, she's defended against it. And if you haven't heard of it, you can thank her for that too. So when you wanna know about
the most devastating attack in Google's history, there's probably no one
better to ask than her. [Heather] Let's see what
the right intro for that is. Um... [Narrator] What better intro Than the song of the summer. [♪ 'Bulletproof' by La Roux ♪,
♪ This time baby, ♪] [Narrator] Welcome to 2009. [♪ I'll be bulletproof ♪] [Heather] 2009 was an
exciting time at Google. [Reporter 1] Google.
[Reporter 2] Google. [Reporter 1] Google’s Android.
[Reporter 2] Android software. [Reporter 3] Street viewing— [Reporter 4] Nine
directional cameras— [Reporter 6] Preparing
to launch its own operating system. [Reporter 7] An
operating system— [Sundar Pichai] Very
simple, very intuitive. It just works. [Heather] Building new
and interesting products and building security
into those products and the infrastructure. We thought we were
doing a pretty good job. [♪ upbeat music ♪] So it was a— a shocking moment to have everything sort of [dramatic whoosh] stop. December 14th. It was around 4 p.m. Just come out of my
last meeting of the day, returned to my desk and found a hive
of energy nearby. [computer buzzing,
♪ dramatic music ♪] Everyone's standing around
a computer, sort of talking and they told me that they'd found some
very interesting activity. [Narrator] That
interesting activity was the result of one message
sent to a Google employee. A casual question
[messages dinging] with this seemingly
innocent link. [♪ dramatic music ♪] On any given day, there are over five
billion links clicked across the internet. [♪ music crescendo ♪] But this particular
link changed the course of cybersecurity history. It opened a website
hosted across the world and started invisibly
downloading malicious software onto the Google
employee's computer. And just like that, they were in. The attackers used
that single entry point to establish a foothold
on Google's network. [♪ dramatic music ♪] [call ringing] [Tim] I was contacted
by an incident responder and they said, "Hey, we think
we have something on one of your
Windows machines." So the pull for me into security was one that was kind of cataclysmic I would say, right? But it really struck
me as something that I wanted to be part of. [Narrator] At the time, security was nowhere near
Tim Nguyen's job title. He was responsible
for maintaining all the Windows systems
running at Google, which explains why he got
a call about one of his— [Tim] Machines— [Narrator] Acting strangely. [Tim] Um... Honestly, I
was pretty naive. I mean, I thought okay, one
machine was compromised. That sucks, right? My day sucks. But literally by the
hour it got worse. It was a server that
was meant for testing. It was tucked away in a
corner of a data center. And the attacker had really
set up home on that network. [♪ dramatic music ♪] [Eric] We could see right away. I mean, there should not
be a breach of this size. That just shouldn't
be happening. [Narrator] This is Eric Grosse. He was the head of Google's Privacy
and Security Team when all of
this went down. [Eric] We did not have playbooks for how to deal with all this. [♪ dramatic music ♪,
computer beeping] [Heather] This wasn't an
ordinary security event. The speed and the ability
for the attacker to learn on the fly, change their tactics. It was extraordinary. It was different. It was unique. [Eric] I mean, my world
had just changed, right? We dropped everything
and focused on this. [♪ upbeat music ♪] [Tim] The following
day, I was pinged again. [call ringing] [Caller] “Tim, can you
come to the war room? There's a few of us here
looking at additional machines.” [Tim] I was like okay. By the third day, I just went
straight to the war room. I didn't even go
back to my desk. And that's where I sat for I think the next
six weeks straight. [Heather] The
investigation started with one dedicated
conference room. And that quickly grew into
three conference rooms, then four conference rooms and then suddenly
a whole building. [Narrator] They came by plane, train, automobile and
any means necessary. [bike bell ringing] Traveling in person or dialing in daily. [phone buttons beeping]
[Caller 1] Hey, good morning. [Caller 2] Buenos días. [Narrator] Specialized
engineers like Mike Sinno flew in from New York. [Mike] I was up at
2:30 that morning to catch the 6 o'clock flight. [Narrator] And the head
of Incident Response called off his vacation. [Darren] I was on
holiday in New Zealand, so I did some of
the work remotely, attempting to do
forensics over dial-up. [modem sounds] [fist banging] But pretty soon it became, I booked the first flight, turn up in Mountain
View and make it happen. [Mike] I remember landing
in San Francisco Airport and from that point, we were
barreling down the highway at like 100 miles an hour and it didn't slow down
for weeks afterwards. [Narrator] A patchwork
team assembled from around the globe. Heather raised
the beacon. Googlers answered. And she immediately
put them to work. [Mike] It definitely felt like
something out of a spy movie. Heather handed me
a list of machines and said, "Go get them. Go haul hard drives out of
machines all over campus." And this is in the
middle of the night. So we hop in the rental car and we're driving around
campus in the dark. We've got a bunch
of flashlights, running through buildings, capturing machines to
do forensics on them. First, we started
trying to unscrew, then pull the hard drives out but we decided that
was taking too long. So we were just
taking their machine. [Darren] Just
unplugging the systems and leaving a post-it
note for them. [laughs] “Security was here. Please call this number.” [Mike] We had a
stack of hard drives and a stack of machines
in the trunk of the car. [Darren] By that stage, we had a number of people just kind of churning through, looking at the different systems and figuring out like, “What
happened on this machine?” [Narrator] While the team
was running forensics around the clock. Heather raised the alarm for others in the industry. [phone vibrating] [Dmitri] I got this
call from Heather Adkins who wanted to chat with me about something that they
had discovered at Google. [Narrator] Enter
Dmitri Alperovitch. He's the chairman of
Silverado Policy Accelerator, a global cybersecurity
think tank. But back in 2009, he
was honing his craft at a security firm
called McAfee. What began as
professional courtesy, turned into partnership
as Dmitri and his team were willing to roll
up their sleeves. [Dmitri] Google shared
malware code with us. Zeros and ones effectively. So we immediately
put a team on trying to dissect that exploit,
understand how it works. And most of it is mumbo
jumbo to an average person if they're not
proficient in programming. But occasionally you
see these code words that will be
recognizable to anyone. The word Aurora
jumped out immediately in those first minutes of
looking at the malware. [Narrator] Aurora. Why would that
jump off the page? Well... [♪ 'Marche Slave, Op. 31'
by Pyotr Tchaikovsky ♪] October 1917. A shot rings out
from a Russian ship [cannon booming]
patrolling the Baltic. The shell was empty. The message wasn't. A shot that would start
the Russian revolution. [film whirring] And forever change the
course of the 20th century. And the name of the battleship
that fired the fateful shot? You guessed it. Aurora. [Dmitri] When I saw it,
I instantaneously knew that we had to name the
whole operation Aurora. [♪ Russian music remixed ♪]
[Narrator] Because just as the
battleship Aurora fired a single shot
that sent shock waves resonating decades afterward— [Dmitri] Operation Aurora
in cyberspace I think had a similar effect. The world has changed. We had to change everything
about the industry's approach to cyber security to deal
with this new threat. [machine buzzing] [♪ pensive music ♪] [Heather] When you get attacked, it's a bit like playing
a game of chess. If your opponent opposite you knows every move
you're going to make, it's going to be
very easy for them to
build countermoves to checkmate. We wanted to keep that
element of surprise for as long as possible by studying as much as
we can about the attack and then
cutting them off instantaneously. [♪ suspenseful music ♪] [Narrator] The team
went to great lengths to keep the investigation
absolutely secret. [Eric] We pretty much had to
lock down the entire floor. [Narrator] There
was a secret list of who could come in or out. [Heather] We would put security
guards outside the door, a little bit
speakeasy-style. You had to kind of
know how to get in. [Narrator] Even cleaning
staff weren't allowed in the main war room. [Darren] Pizza boxes
and empty coffee cups kind of spread
throughout the room. [Heather] It was smelly
for quite some time. [Narrator] They
stopped corresponding with each other online. [Heather] Just in case
we were being watched. The access controls to
the room were tight. [Tim] We had Senior VPs, we had the founders of the company with us. It was—you know,
it was tense. [♪ dramatic music ♪] [Heather] As you're
building this picture of how the attacker is working, it's a rush of adrenaline because you can
start to plot points of how to eradicate
them from the network. [Narrator] The team narrowed in, set traps and positioned
themselves to move on the attacker. There was only
one problem: holiday break. [♪ festive music ♪] [Heather] We always wonder if the attackers picked
the holidays on purpose. [Mike] They know most people
aren't paying attention during the holidays. [Heather] It wasn't
our first Christmas where something
interesting had come up. [Narrator] Just before
springing on the attacker, the team pivoted. [Heather] We suddenly
decided we wanted to be very radical
in our approach. [Narrator] So what was
that radical approach? [Mike] We knew we had to get
everyone off the network now. We had to make the biggest
change we ever made to our infrastructure and we had to do it
in less than an hour. [Narrator] And who
would be responsible for pulling the trigger? [Tim] I drew the short straw, so part of my role was really to
cut off everybody from the network. [Narrator] That's right. Everybody. Google engineers, security researchers even Heather. [Heather] Yeah. [Narrator] Were to be
cut off from the network and their passwords reset. [Tim] I did not make any friends at the company over Christmas. [Narrator] This
was the only option to make absolutely sure that
any hooks the attacker had at Google were
completely eradicated. And with that the team hit go. [♪ ’Carol of the Bells’
by Mykola Leontovych ♪] Systematically
purging the attacker from all systems all at once. The attacker was banished
from the network. [♪ pensive music ♪] But one question still remained: who was behind this attack? [keys typing] [Heather] On January
12th of 2010, Google announced it had
witnessed a sophisticated and targeted attack. [Dmitri] It was shocking. Google was one of the
first companies ever that voluntarily disclosed
that they'd been hacked. [Heather] And in the
investigation of that event, we found that at least
20 other companies were compromised as well. We were able to lend some
experience that we'd gathered. [Dmitri] Not only did they
come out and publicly reveal that they'd been hacked but for the first time, they were able to
attribute an attack. [♪ suspenseful music ♪,
cameras clicking] [Nicole Wong] In mid-December, we detected a
highly sophisticated and targeted attack on our
corporate infrastructure, originating from China. We discovered in
our investigation that the accounts of
dozens of Gmail users around the world who advocate for human rights
in China appeared to have been
accessed by third parties. [Jay Carney] The President
is obviously aware of it. As with all intrusions, we employ an
all-of-government approach with the appropriate
agency in the lead. In this case, the FBI is
coordinating the response. [Reporter] Now, the cyber
battle has heated up and may have
far-reaching consequences. [Eric] I didn't
used to think that a foreign military
would come after us and now they obviously are. Well, where are
the new boundaries? What's internationally
accepted legitimate action? [♪ dramatic music ♪] [Heather] It's not a surprise that we would see governments
hacking each other. I think it's a little
bit of a surprise to us when we saw attacks happening
against private companies, against companies that were
enabling business online, helping students learn, helping people
express themselves. [♪ music crescendo ♪] That seemed out of bounds. [Eric] We view it
as our job to stand between these very capable
government attackers and individuals who can't
possibly be expected to defend against that. We chose to stand in between. [Heather] We stopped them. But I'm not convinced that
they would never try again. [♪ lively music ♪] [footsteps clattering,
voices murmuring] [Heather] So we
decided we wanted to start making radical changes, not just rebuilding things the way that we
had them before but we wanted to do things
completely different. Ways people have never
dreamed of before, ways attackers had
never dreamed of before. We were gonna change
the battlefield. [♪ dramatic music ♪] I'm realistic that there will be threat actors who want to do
the same thing. But if they do try again, I want them to have
a very bad day. [♪ pensive music ♪] [♪ anthemic music ♪] [Shane] The primary
job of threat analysis is to understand the attacker so we can counter them and we can protect
our users from them. [Toni] Um... We're dark
wizard catchers. [Shane]
Government-backed threats. [Camille] Ransomware. [Toni] Phishing messages. [Camille] It's essentially
a field of landmines. [Shane] Hostile
actors are trying to interfere with elections. [Toni] It's not
enough to draw a fence around the people that
you see on the front page of the newspaper. We have to secure everyone. [Michael] There
are bad actors online who would not like to
see democracy succeed.
