Titan Rain
Years before 'APT' entered the lexicon, a Chinese campaign was quietly draining defense networks — and the analyst who chased it ended up investigated himself.
Beginning around 2003, US defense and government networks were the target of a methodical, large-scale intrusion campaign that investigators code-named Titan Rain. The targets included Army and defense-contractor systems, NASA, and Department of Defense networks. The attackers moved quickly and cleanly, exfiltrating large volumes of technical and military documentation and erasing their traces on the way out.
The analyst who chased it
Much of what became public came from Shawn Carpenter, an intrusion analyst at Sandia National Laboratories, who tracked the attackers' activity back through a chain of relay hosts to infrastructure in China. When Carpenter shared his findings with the Army and the FBI outside his employer's official channels, Sandia fired him. He sued for wrongful termination and won a substantial jury verdict — a subplot that became almost as instructive as the intrusion itself, illustrating how unprepared institutions were for the disclosure dilemmas these campaigns created.
Public attribution at the time was cautious. US officials privately characterized Titan Rain as a Chinese state-directed collection effort, but formal, on-the-record attribution of cyber-espionage to nation-states was not yet routine.
What the chronicle remembers
Titan Rain is one of the earliest publicly reported large-scale Chinese cyber-espionage campaigns against the United States, a forerunner of the later operations that would be labeled APT1 and beyond. It also produced an early, vivid lesson about the institutional friction of disclosure: the person who understood the intrusion best was, for a time, treated as the problem.