Cyber-Gaslighting: An Intimate Weapon in Modern Cyber Warfare

By Justin Spring. Justin Springer is currently enrolled in IWP's Professional Master of Arts in Statecraft and Strategy.

On January 14, 2012, the same day that Ma Ying-Jeou won re-election as President of the Republic of China (Taiwan), multiple computers in Therese Shaheen’s home turned and displayed multiple fake Skype accounts. The usernames were combinations of names of her friends, business partners, and co-workers. Some even used personal nicknames known to only a few people. This began an almost decade-long cyber-gaslighting attack against the former diplomat, costing her over a million dollars and years of anxiety and familial turmoil.

Gaslighting refers to the psychological manipulation of an individual that leads the victim to question their perception of reality, often leading to confusion and uncertainty regarding their own mental stability. The attacks Shaheen endured were a result of navigating the complex landscape of Chinese, Taiwanese, and U.S. relations in the early 2000s. 

In 2002, Shaheen joined the Bush administration as the Chairman and Managing Director of the American Institute in Taiwan (AIT), the United States’ de facto embassy in Taiwan. During her tenure as AIT Chairman, Shaheen earned the ire of some of the Chinese Communist Party (CCP)-aligned members of the Chinese National Party, the Kuomintang (KMT) and the CCP itself. Moreover, since Shaheen’s departure from the USG, she has written multiple articles for the National Review and for the Wall Street Journal that have been harshly critical of the CCP and Chinese President Xi Jinping. But her stance would come at a cost: malicious actors, likely connected to the CCP, would lie-in-wait, planning and preparing to enact revenge, and when they struck, she found herself at the tip of a new spear in the cyber warfare arsenal. Over the next several years, these tactics would put her and her family through hell.

Her story highlights the personal risk faced by U.S. government personnel and their families on the diplomatic front lines with China, while analyzing the evolving threat of Chinese political warfare.

According to an old Chinese folktale, there was once a street entertainer who earned a lot of money with dancing monkey. One day, when the monkey refused to dance, the entertainer killed a live chicken in front of the monkey. The monkey resumed dancing. Thus, the idiom, "kill the chicken to scare the monkey."

The Predator

Shaheen first noticed disturbances in her personal home network and devices in 2008. The disruptions were minor glitches on her home laptops, voices being heard in the background on phone calls with friends, but nothing too out of the ordinary to raise any serious concerns. Then her credit card was used to buy spyware, which was installed on her computers at home. She would have a conversation on the phone with a friend and then get a text from an unknown number with the details of the conversation. After 2012, Shaheen’s family credit cards were used so many times to buy spyware that temporary cards had to be used at all times. Up to 40 computers were purchased but ultimately were stored away as they became immediately infected once connected to their home network. More than 25 phones were purchased until they were given up for disposable ones, as the smart phones were constantly being hacked and manipulated.

Multiple fake social media accounts were opened in her name and passwords were constantly being changed while almost all her accounts were hacked. She was texted photos of her own library card after visits to the library. Her home security system was re-wired to only send “test” alarms when tripped, and she became concerned people were breaking into her home when they were away. On a few occasions they found notes, written in Chinese, on her daughter's laptop when she was only in grade school. There was a concerted effort to drive a wedge between her and her associates by trying to plant evidence of events and conversations that Shaheen knew were not true.

When a Wall Street Journal reporter wrote an article on Shaheen in 2020 documenting these cyber attacks by unknown Internet Service Provider (ISP) addresses, they found a website selling bras named after the former diplomat. Her former employees and their spouses were hacked, and pornographic material was uploaded to their computers. Over the next five years, Shaheen would hire five separate cyber-security firms and spend well over a million dollars to get any relief from these cyber attacks.

It does not appear these attacks were focused on ascertaining private information for the sake of espionage or fraud. Rather, these attacks seemed intimate, a personal vendetta meant to disrupt Shaheen's life—and it worked. Shaheen talks openly about the mental and emotional toll these attacks had on her and her family. Early on, the attacks were so random and dispersed that when she told friends and family they thought she was exaggerating or imagining things. Initially, it was hard for people to believe it was happening because they couldn’t see it happening. At times, the attacks seemed ambiguous and possibly coming from someone close to her, but as time passed, it became clear that the attacks were not proximal and the ambiguity seemed to be the point—to confuse, misdirect, contradict—to gaslight. On a cruise vacation, she became so concerned with the safety of her family that she took a panic button to alert authorities if any of them were attacked. At one point, Shaheen’s doctor diagnosed her with Post-Traumatic Stress (PTS).

The Remedy

In March of 2016, Shaheen hired a new small cyber-counterintelligence consulting company based in the Washington, D.C. area. The company was composed of former counterintelligence and cyber investigators from the U.S. Air Force Office of Special Investigations, as well as intelligence specialists from the U.S. intelligence community. The company was recommended to Shaheen because of their experience investigating national security cyber intrusion activities. The team created an investigative plan that focused on counterintelligence objectives rather than traditional cyber security practices. The difference is that cyber security generally looks for malware and forensic examination of a compromised system. Counterintelligence looks for the “why” and the “who” and for ways to neutralize the overarching operation.

Using proven techniques from their time protecting the U.S. Air Force, the investigators deployed a passive tap to monitor activities on Shaheen’s home network, laptop, mobile phone, and home router. Investigators were quickly able to identify unauthorized login activity into Shaheen’s personal and work email and cloud accounts.

According to the investigative plan, identification of the infrastructure being used by the attackers was a priority. Once identified, the investigators began taking steps to bring down the operation. Investigators performed research into an identified internet service provider (ISP) which was hosting internet protocol (IP) addresses involved in the unauthorized logins. The ISP’s website indicated their headquarter office was located in Tennessee, yet the company did not have a business license in Tennessee. The main office was determined to be a virtual office. The virtual office management company, when interviewed, indicated they had never personally met the supposed owners of the ISP. Investigators traveled to multiple locations across the U.S. in an attempt to identify owners of the rogue ISP.

Upon further investigation, the ISP was determined to be fake. The company’s website was fictitious, even including fake bios for company staff. There was no way to actually purchase services, either online or by phone. Yet, the ISP was somehow in control of nearly 750,000 IP addresses around the world through a series of fake subsidiaries, cut-outs, and go-betweens. It was estimated that the ISP was in control of over $4 million worth of IPs and domains. It was essentially a very expensive global attack infrastructure.

Eventually investigators uncovered an original company incorporation document with a signature from the real owner. The culprit had made a mistake - instead of using a registered agent, they had used their real name. Hundreds of documents were analyzed, but it only took one to break the case.

The investigators began working with federal law enforcement on their findings. After several years of investigation, intelligence gathering, and coordination with the Federal Bureau of Investigations (FBI) and Department of Homeland Security (DHS), the investigators supporting Shaheen were able to have the entire attack infrastructure taken down. The IPs were issued to the fake ISP by American Registry for Internet Numbers (ARIN), which is the gatekeeper for internet addresses. Once ARIN was informed that the company was fraudulent, they revoked all of the IPs. In one fell swoop, the attack infrastructure was taken down, years of building up the capability to launch attacks from around the world were neutralized, and the attacks against Shaheen ceased and have not returned.

While there is rarely a “smoking gun” when conducting these types of investigations, the professionals who ultimately ended the attacks against Shaheen said that it is “highly likely this originated from China” and that “the evidence points to actors within the CCP.”

Shaheen is not alone. Other critics of the CCP and high-level diplomats within the USG have experienced similar attacks, in what are known as Advanced Persistent Threats (APT). The New York Times has covered APTs used against a New Zealand professor named Anne Marie Brady, including cyber-gaslighting and physical break-ins to her home. According to the counterintelligence firm interviewed for this case study, from 2010-2015, the personal email accounts of top American security and trade officials had been compromised in a Chinese cyber espionage operation. The email espionage operation had attacked and taken information from over 600 American official targets. Due to security reasons, the names of those compromised officials were not revealed.

Following the successful takedown of the attack infrastructure being used by the attacker, Shaheen has seen attempts from fake social media accounts, originating from China, to either follow her or to discredit her online. This is now the front-line of the continued gaslighting happening against the former diplomat who became a target of the CCP.

For U.S. government personnel on the political and diplomatic front lines with China, and other malicious actors, it is important to remain vigilant as personal space is usually the least protected

Note: Results of the investigation are here.

* The CI firm is not mentioned at their request and as part of their culture of being silent sentinels.

Click here for more background on this case.