During his civil lawsuit against the People's Republic of China,Brian Milburn says he never once saw one of the country's lawyers.He read no court documents from China's attorneys because theyfiled none. The voluminous case record at the U.S. Districtcourthouse in Santa Ana contains a single communication from China:a curt letter to the U.S. State Department, urging that the suit bedismissed.

That doesn't mean Milburn's adversary had no contact withhim.

For three years, a group of hackers from China waged arelentless campaign of cyber harassment against Solid Oak SoftwareInc., Milburn's family-owned, eight-person firm in Santa Barbara,California. The attack began less than two weeks after Milburnpublicly accused China of appropriating his company's parentalfiltering software, CYBERsitter, for a national Internet censoringproject. And it ended shortly after he settled a $2.2 billionlawsuit against the Chinese government and a string of computercompanies last April.

In between, the hackers assailed Solid Oak's computer systems,shutting down web and e-mail servers, spying on an employee withher webcam, and gaining access to sensitive files in a battle thatcaused company revenues to tumble and brought it within a hair'sbreadth of collapse.

As the public dispute unfolded in decorous courtrooms, Milburn'scomputer prowess was tested to its limits in what amounted to adigital home invasion by what he later learned was one of the mostprolific hacking teams in China. He waged his own desperate one-manfight without weapons or help from authorities, swapping outservers, puzzling over middle-of-the-night malfunctions, andwatching his sales all but evaporate — his every keystrokemonitored by spies who had turned his technology against him.

Milburn, 61, rarely took a day off during that time as hestruggled around the clock to keep his computer network running andhis firm afloat. He doubts he'll ever know exactly what was goingon, but he has theories.

“It felt like they had a plan,” says Milburn, sitting in hisoffice two blocks from Santa Barbara's main drag, where he's nowfocused on rebuilding his business. “If they could just put thecompany out of business, the lawsuit goes away. They didn't needguys with guns or someone to break my kneecaps.”

Clandestine Methods

The cyber attack against Solid Oak provides a rare look at theclandestine methods in play as high-tech spies and digitalcombatants seek to gain a brass-knuckle advantage in the globaleconomy, from trade disputes to big-dollar deals to lawsuits. U.S.officials say that China in particular uses its national securityapparatus for such intrusions, targeting thousands of U.S. andEuropean corporations and blurring the traditional lines ofespionage.

While his civil case was pending, Milburn didn't discuss thecyber intrusion publicly, saying only that the company and its LosAngeles-based law firm had received e-mails containing spyware. Hehad no idea who was behind it until last August, when he providedmalware samples to a security firm at the request of a Bloombergreporter.

A forensic analysis of the malware by Joe Stewart, a threatexpert at Atlanta-based Dell SecureWorks, identified the intruderswho rifled Solid Oak's networks as a team of Shanghai-based hackersinvolved in a string of sensitive national security-relatedbreaches going back years.

Commercial hacker hunters — who refer to the team as the Commentgroup, for the hidden program code they use known as “comments” —tie it to a multitude of victims that include the the president ofthe European Union Council, major defense contractors and evenBarack Obama's 2008 presidential campaign. The group has beenlinked to the People's Liberation Army, China's military, accordingto leaked classified cables.

The Solid Oak attack is a micro tale of what some of the U.S.and Europe's largest corporations have experienced, saysRepresentative Mike Rogers, a Republican from Michigan who chairsthe House Intelligence Committee. The campaign to steal privatefiles and intellectual property, even to the point of collapsingbusinesses, amounts to a criminal racket for commercial gain, saysRogers.

“I used to work organized crime in Chicago — I don't know, butit sure seems like there are a lot of similarities,” says Rogers, aformer FBI agent.

Unlikely Entanglement

Headquartered in a converted Victorian house, Milburn's smallcompany seems an unlikely candidate to become entangled in aninternational feud with China, except for one thing: it was amarket leader in the U.S. for software that lets parents andschools block objectionable web content, like pornography andviolence.

China was looking for software to do the same thing on anational scale. In May 2009, Chinese officials orderedweb-filtering software called Green Dam Youth Escort installed onevery computer sold in the country. They touted the software'sability to protect young Internet users by filtering pornography.Critics in China, who identified more than 6,000 political keywordfilters, branded it an extension of China's censorship regime.

When University of Michigan researchers examined the program inJune 2009 to see how it worked, they discovered that thousands oflines of code directly matched Milburn's software, which has 1.1million active users. Included, apparently by mistake, was aCYBERsitter upgrade announcement — the “smoking gun” that thesoftware had been pirated, according to Milburn.

An independent analysis later found that four of the five activefilters were copied almost verbatim from CYBERsitter and that GreenDam could not operate correctly when those filters were disabled.It's possible the code was stolen in an earlier hack, but Milburnbelieves the thieves simply bought a copy and broke the encryptionprotecting the code.

In interviews with reporters, he said he was considering alawsuit and vowed to pursue an injunction.

On June 24 — 12 days after Milburn went public with his legalintentions — the hackers made their first appearance. Working fromher home office 150 miles south of Santa Barbara in Orange County,Jenna DiPasquale, 39, who is Milburn's daughter and Solid Oak'sone-woman marketing department, received a carefully forged e-mailcontaining hidden spyware.

Poisoned E-Mails

It looked like a routine message from Milburn, so DiPasqualeclicked on the attachment, realizing only later that the e-mailaddress was a couple of letters off. Solid Oak employees receivedmore bogus e-mails over the next few days, setting off alarmbells.

Milburn contacted Matthew Thomlinson, a Microsoft Corp. threatexpert for help. Thomlinson found the malware had downloadedsoftware that burrowed into the company's Microsoft operatingsystem, automatically uploading more tools the hackers could use tocontrol the network remotely. The malware had been created on aChinese-language computer, he concluded. As far as Milburn knew,though, his attackers could have been anyone from seasonedprofessionals to hacktivists tapping on a keyboard in a Beijingbasement, he says.

The more urgent question was whether the attackers were behindthe strange things that began happening in his network.

DiPasquale was at her desktop computer, helping the company'sattorneys with research sometime in August, when she noticed thelight on her webcam come on. A few days later, a message flashed onher laptop indicating that the camera on that machine had beenactivated as well. She made an alarmed call to Milburn. Afterlearning that Chinese hackers had eavesdropped on the Dalai Lamaand his staff using their own computers, he went through theoffice, covering every webcam and microphone with black electricaltape.

Then the company's e-mail servers began shutting down, sometimestwo or three times a week, slowing e-mail traffic, the main way thecompany provides customer service. Similar problems began plaguingthe web servers — a bigger problem since web sales of CYBERsittersupply more than half of Solid Oak's revenue. By September andOctober, website sales were off 55 percent from mid-year andMilburn was struggling to figure out how the hackers might bebehind it.

“I panicked,” says Milburn, who combines a beach comber'scountenance with the nervous energy of a workaholic. “What the hellis happening to my income, where is the money going, why aren't wegetting orders?”

'Very Scary'

“This slow realization came that, 'wait a second, they're comingafter us now,'” says DiPasquale, who felt she could no longer trusther own computer. “It was very scary.”

Milburn had contacted the Federal Bureau of Investigation afterthe flurry of e-mail assaults, and an agent from the Seattle fieldoffice called and took details, including samples of the malwareand, later, server logs, he says. But the agency shed almost nolight on the situation, he says, and he was never told if thematerial was useful.

That doesn't mean the bureau was in the dark about Milburn'sattackers. U.S. law enforcement and intelligence officials hadamassed a long dossier on the group, which they had been trackingsince 2002, according to leaked cables and two people familiar withgovernment investigations into the group.

Laura Eimiller, an FBI spokeswoman in Los Angeles, said thebureau couldn't comment on its interactions with Solid Oak or anyinvestigation.

Milburn forged ahead in court in an attempt to win damages forthe alleged theft. He and his small team of lawyers had spent sixmonths analysing the similarities in the two software programs. Hefiled suit in January 2010 against the Chinese government and twoChinese software companies that had developed Green Dam.

Milburn's suit also named seven big computer manufacturers,including Sony Corp. and Lenovo Group Ltd., which the suit allegeshad begun installing or distributing the software in the program'searly phases.

As in the digital fight, not all of Milburn's legal adversarieswere what they seemed. Zhengzhou Jinhui Computer System EngineeringCo., one of the two Chinese companies that developed Green Dam, hadties to the People's Liberation Army University, a research centerfor China's military, according to a June 2009 U.S. Embassydiplomatic cable published by Wikileaks the following year.

No Information

No one from Zhengzhou Jinhui was available to address theCYBERsitter allegations, according to a person who answered thephone at the company.

A spokesman for China's foreign ministry said he had noinformation on the cyber assault against Solid Oak and declined tocomment further. When Milburn's suit was filed, Chinese officialssaid the government “highly values and fully respects theintellectual property rights of software.”

Six days after the suit was filed on Jan. 5, 2010, Milburn's LosAngeles-based law firm at the time, Gipson Hoffman & Pancione,was hit with a cyber intrusion using e-mails similar to those aimedat Solid Oak but with different malware, according to the law firm.Forensics analysis shows that attack probably emanated from Chinaas well, says Stewart, the Dell SecureWorks threat expert.

It had been clear to everyone that one motive for the attacksmight be espionage related to possible legal action, Milburn says.If the hackers were able to steal documents or recordconversations, they could preview strategies and negotiatingpositions, even identify legal weaknesses in the case.

Milburn decided not to take chances with the lawsuit. Usingtechniques gleaned from talking to security experts, his small teamdeveloped their own ad hoc counter-espionage measures. Solid Oakand its lawyers exchanged legal documents using rotating webmailaccounts or document-sharing sites like San Francisco-based DropboxInc., deleting the accounts after a single use.

Occasionally, Milburn drove to an empty house he and his wifeowned in the hills around Santa Barbara. Sitting at the kitchentable, he'd make phone calls or exchange e-mails with hisattorneys, alternating between four different cell phones fromthree different carriers.

The lawsuit seemed to trigger a more serious phase of theattack, Milburn says. Computer failures that had occurred a coupletimes a week now sometimes happened two or three times a day.

Failures Escalate

Milburn constantly had to reboot servers, occasionally in themiddle of the night. During work hours, it became hard forDiPasquale to get Milburn on the phone because he always seemedpreoccupied fixing something. Tempers at work flared moreoften.

“Everybody started to wonder what they were doing wrong on apersonal level,” DiPasquale says, adding that because Milburncouldn't trace the source of the network problems, it became hardto sort out who was to blame or why. “Things got very tense.”

One thing was clear: the technology that ran Milburn's companywas no longer solely under his control.

In March 2010, a staccato of text message alarms woke him in themiddle of the night, signalling that his servers were all shuttingdown. He hurriedly drove the four-mile winding road to the officeto find that his commercial-grade SonicWALL firewall had failed,taking his entire network off line. He spent a good part of thenext day on the phone with the manufacturer, who was stumped.

“Those things are like old carburetor engines, they never quit,”Milburn says.

After his e-mail servers crashed during an exchange with hisattorneys, he crawled under the large house that serves as thecompany's headquarters in search of a device that someone mighthave physically planted. Pawing through cobwebs with a flashlight,he spent an hour opening utility boxes and eyeing the fiber-opticcable. He found nothing.

Milburn says he was riding “that fine line between ultra-cautionand paranoia.”

Born in Santa Monica, Milburn didn't graduate from high school,but he has a relentlessly autodidactic drive that is common inearly tech entrepreneurs. He taught himself how to write code, andeventually mastered complex Internet software protocols.

Laura Milburn, 63, his wife of 21 years, calls him “brilliant”but also “incredibly stubborn.” A few years earlier she watched himin a legal tussle with a neighbor who had built a deck four feetover what they thought was their property line. Milburn ended upspending more than $100,000 in a year-long fight just so they couldsplit the difference, with each side getting two feet, shesays.

No Clue

“He's not the kind of person who would back down to someonebecause they threaten him,” Laura Milburn says. Even so, she adds,“I don't think he had a clue what he was getting into.”

Both of those traits explain why Milburn didn't hire anexpensive incident response team to hunt the hackers down in hisnetwork — the kind larger corporations often use.

Milburn, after all, had built Solid Oak's network himself. “Ithought they might be able to get around some IT guy, but there'sno way they were going to get around me,” he says.

Milburn learned everything he could about computer security. Heread professional papers and called up experts he knew. He beganwriting his own software to monitor the connections his computerswere making to outside networks, looking for tell-tale signs of thehackers at work.

In April 2010, during a 6:30 a.m. check of his servers — by thenpart of his daily routine — Milburn stumbled on a folder buried inan obscure Microsoft directory, one that's normally unused. What hefound inside startled him. The file contained the encryptedversions of all eight passwords in his system — the keys to theentire network. The hackers could use the passwords to control justabout anything he could, from web servers to e-mail.

The folder was gone two days later, he says, and in its placewere several pieces of software he didn't recognize. Later, hefound out they were custom-designed software the hackers use toperform tasks on corporate networks. He had found their toolkit.

Rather than panic, Milburn said he felt an adrenalin rush.

“It was like, 'okay, now I can figure out what they're doing.'”After months of detective work, Milburn was no longer chasingghosts.

Two Battles

Even at the best of times, Solid Oak's headquarters is a warrenof server rooms and cluttered offices that, Milburn says, couldsometimes resemble the inside of a well-maintained garage. In thesummer of 2010, it reflected the disarray of a company in crisis,littered with the results of Solid Oak's two on-going battles, onelegal, one digital.

The firewall that blew out in March, a small box the size of anoffice telephone, still sat propped in a chair. Foot-high stacks oflegal documents covered tables and spilled onto the floor. Two60-foot data cables — which Milburn could use in a pinch tocircumvent his own compromised e-mail system via a commercialinternet connection — ran from one end of the office to theother.

Milburn's biggest concern was that the hackers seemed to betrying to hit the heart of his business. The lawsuit months earlierhad brought a rush of publicity for CYBERsitter, and Milburnreleased a new version of the software. That combination wouldnormally boost sales.

While bulk sales and orders over the phone were up, 60 percentof Solid Oak's business depended on users buying the $39.95 programdirectly from the website. As the network problems continued, sodid the fall in sales. Milburn wouldn't provide month-to-monthsales figures, saying it could aid competitors, but he says thenormally profitable company dipped into the red after a big drop inweb sales the month the lawsuit was filed. Net losses averaged$58,000 a month after that, even as Milburn slashed expenses, hesays.

Tracing the drop, he could see that customers were coming to thewebsite to buy the software like always. They'd type in credit cardnumbers and click submit, but most of the orders — on some days 98percent — weren't going through, Milburn says. He replaced serversand tried other fixes. Nothing worked.

As his income dried up, Milburn kept the company afloat in partwith insurance proceeds from the loss of two properties in theNovember 2008 Tea Fire in the hills of Santa Barbara that burned210 homes over three days.

Foregoing Salaries

He went without pay, and DiPasquale agreed to forego her salaryfor a few months too. She and her husband, a professional chef,drew down their savings, but by the summer of 2010, the money wasrunning out.

Some tough conversations played out at home, DiPasquale says.She argued that what was going on was wrong; quitting would meanthe hackers had won.

Her husband wondered exactly what they had gotten into and whereit would end. “He was saying, 'What are we up against? Is theregoing to be someone sitting outside the house?'” she says. Becauseshe was working alone at home, he made sure the house alarm was onevery day before leaving for work.

In his own battle, Milburn became more obsessed. He'd get up by5 a.m., work until 7 p.m., grab something to eat, then sign on fromhome to check his servers again. Constantly missing meals, Milburnbegan subsisting on pre-packaged sandwiches from a conveniencestore close to the office.

“It would be ten o'clock at night and I'd get an idea,'huh, let me just check this,'” Milburn says. “That would lead toanother hour of frustration trying to figure something out.”

Examining the script that controlled the payment processingfunction in November that year, he noticed that a single characterwas missing from the string — an apostrophe. That was enough tocause the page to time out, rather than to complete the credit cardtransaction. Customers were leaving in frustration.

The apostrophe was sometimes there and sometimes not, so somepayments went through. There may have been other ways that thehackers were sabotaging his sales, but Milburn was sure he hadfound at least one.

“A hacker could certainly edit the script and break it so itwouldn't work,” says Stewart, the Dell SecureWorks threat expert.“That would be a great way to do it without calling attention tothe fact that they were in the system.”

No one ever told Milburn that he was facing not amateurs butprofessionals who had ransacked secure U.S. government networks,until the results of Stewart's analysis last August.

Unique Tools

The tools Milburn found in his network were unique to theComment group, according to Stewart. They included softwaredesigned to let the hackers send out stolen files and stealsecurity credentials.

Without a more in-depth investigation, Stewart said it wasdifficult, if not impossible, to determine the hackers' goal asthey rifled Milburn's network. Some of what Milburn experienced,including repeated and regular crashing of his servers, could havebeen an unintended side effect as the hackers infested the networkwith backdoors and other malware.

Or it might have been deliberate. From a hacker's point of view,everything Milburn experienced is technically “pretty elementary,”says Nicholas Percoco, who heads SpiderLabs, a Chicago-basedsecurity division of Trustwave Corp. Percoco and his team are paidby corporations to hack into their networks to test security —what's known as penetration testing. “If I can do it, the Chinesecertainly can do it,” he says.

At one point, Milburn was able to identify a server that thehackers appeared to be using as a staging point to attack othertargets. He was never able to shut down their activities,though.

In August 2011, a California district judge rejected a move bysome of the defendants to shift Solid Oak's lawsuit to China, andruled that it could go ahead in a U.S. court. Negotiations forsettlement moved forward in earnest.

Solid Oak reached agreement with defendants for an undisclosedsum last February, and the case was dismissed two months later.Milburn says he can't discuss the terms, including exactly whichdefendants participated. His attorney, Gregory Fayer, now at FayerGipson LLP, says the Chinese government, which had by then declaredthat the Green Dam program would be strictly voluntary, was notamong them. In U.S. District Court in California, the presidingjudge declared China in default in the lawsuit for failing torespond.

Within two months of the settlement, Milburn says, the unusualactivity in the company's computer network had nearly stopped.

The wild ride of those three years did more than wreak havoc onSolid Oak's computers. It threw into question Milburn's retirementplans, he says. During the worst moments, he wondered if he wouldhave to start over, get rid of the CYBERsitter domain name and tryagain under a new digital identity, just to be free of hisadversaries.

Milburn now feels he can move on, even if he didn't prevail.Sales haven't fully recovered, but he says he now has a chance torebuild his customer base.

“It turns out they were just better than me,” says Milburn,whose doctor recently diagnosed him with a stress-relatedailment.

“But it was the right thing to do,” he says. “You don't doanybody a favor by not taking a stand on this kind of stuff.”

With the company's finances now more stable, DiPasquale recentlywent out and bought a new computer. “I just wanted to tie the lastone to an anvil and toss it in the sea,” she says.

Even so, DiPasquale says, “I don't think I'll ever feelcompletely safe on my own computer again.”

Bloomberg News