On January 14th, 2012, the same day that Ma Ying-Jeou won re-election as President of the Republic of China (Taiwan), multiple computers in Therese Shaheen’s home turned on displaying multiple fake Skype accounts. The usernames were combinations of names of her friends, business partners, and co-workers. Some even used personal nicknames known to only a few people. This began an almost decade-long cyber-gaslighting attack against the former diplomat, costing her over a million dollars and years of anxiety and familial turmoil.

Gaslighting refers to the psychological manipulation of an individual that leads the victim to question their perception of reality often leading to confusion and uncertainty regarding their own mental stability. This case study documents Shaheen’s story and the attacks she endured as a result of navigating the complex landscape of Chinese, Taiwanese and US relations in the early 2000s. It highlights the personal risk faced by U.S. government personnel and their families on the diplomatic front lines with China, while analyzing the evolving threat of Chinese political warfare.

Background

Immediately following Japan’s surrender and withdrawal from China at the conclusion of World War II, the Chinese Communist Party (CCP) resumed its long-running civil war with the Chinese Nationalist Party, the Kuomintang (KMT), with full force. On October 1st, 1949, Mao declared victory and established the People’s Republic of China (PRC), putting an unofficial end to the brutal conflict. The KMT retreated to the island of Taiwan, where they would rule for the next 51 years. In 2000, Chen Shui Bian and his Democratic Progressive Party (DPP), would become the country's first democratically, non-KMT, elected government. What followed was a brutal and concerted effort by some members of the KMT, and their pro-unification CCP allies, to prevent Chen from winning a second term. This faction would use all facets of modern political warfare and espionage. Just one week before Chen’s re-election in 2004, it likely colluded in a probable assassination attempt on his life.

The KMT’s origins are defined by its resistance to the CCP as an anti-communist party. But, as time passed, certain factions of the KMT became more accommodating toward the PRC. Presumably, these factions were seeking assistance with maintaining their hold on power in Taiwan. Today, the KMT has become much more attuned to the body politick in Taiwan and has mostly supported the status quo: that Taiwan is already independent.

By the early 2000s, the US government had long been comfortable dealing with the KMT. Washington continued to believe it was a wholly anti-communist party. While U.S. policymakers were happy to see democracy flourishing in Taiwan, it greeted an open independence movement with trepidation. Over time, it engaged less and less with the first DPP government as the Bush administration believed the KMT’s re-election was the best way to reduce tensions across the Taiwan Strait.

In the mid-1970s, Therese Shaheen began working with Indo-Chinese refugees through her service with the ACTION/Peace Corps agency headquarters while studying at Georgetown University. After graduation, her husband, then a naval officer and later Secretary of Defense Donald Rumsfeld's Chief of Staff, was assigned to a ship in the Indo-Pacific region, enabling her to continue working with refugees. During this time, she successfully built enduring relationships and developed a deep understanding of the region.

In 1987, she co-founded a high-tech consulting company called the US Asian Commercial Development Corporation. She spent most of the late 1980s and 1990s connecting China, Taiwan, Korea, Japan, and others with wireless access and helped organize the consortium that built the US-China cable line. In the 1990s she sounded the alarm about Chinese intellectual property theft and forced technology transfers. Then, in 2002, she joined the Bush administration as the Chairman and Managing Director of the American Institute in Taiwan (AIT), the United States’ de facto embassy in Taiwan.

AIT was formed in 1979 when the U.S. established diplomatic relations with the PRC and adopted the One-China policy. For 40 years, AIT has played a crucial role in promoting America’s interests in Taiwan and the broader region, even though Washington no longer recognized the island’s government. AIT is a private entity with a semi-official contract with the U.S. State Department, providing guidance, funding, and consular support. Shaheen, as Chairman, operated out of the office in Washington, while AIT’s Director resides in Taipei.

To understand the U.S. response to the election of Chen Shui Bian, the first Taiwanese President from the Democratic Progressive Party (DPP) in 2000, it is important to remember the climate of American geopolitics and the Bush administration at the time. During the first four years of Chen’s administration, the U.S. experienced the 9/11 terrorist attacks and launched the wars in Afghanistan and Iraq. While the U.S. held a relatively tough position toward China, disagreements within the Bush administration emerged on how to handle the non-English speaking Chen, whose party’s position was that Taiwan was already independent. Pro-China factions in Taiwan and in the US, along with the CCP itself, took advantage of Chen’s knowledge gap of American politics. Ultimately, there was more consensus that given other priorities, the return of the KMT to power might be better for peace and stability in the region.

When Bill Clinton won the presidency in 1992, there was concern that he was going to have trouble recruiting suitable experts for his administration, given that Republicans had held the executive branch for the past twelve years. In Taiwan, Chen was also struggling to build a government that reflected the DPP’s values. Where Clinton was working against twelve years of opposing party rule, the DPP was working against 51 years of KMT rule. As a result, Chen’s government was filled with KMT career bureaucrats who were actively working against him and had allies in China and the U.S.

Shaheen, always outspoken and direct, maintained good relations with Chen and his inner circle, attempting to cajole them and help them understand the U.S. position. She did not know, until after she left government, that President Chen’s primary translator was working for and reporting to the KMT. Once the DPP learned of the betrayal, the translator was immediately fired. This called into question the correct translation and report of every conversation Shaheen had with the Taiwanese President.

The day before the 2004 elections, during an event for his re-election campaign, there was an assassination attempt on President Chen and his running mate Annette Lu. He survived the attempt on his life. The KMT insisted it was a staged attempt and tried to overturn the election. The election results were delayed but Chen did win a second term in 2004.

Shortly after the results were confirmed, Shaheen formally congratulated the newly re-elected President Chen and Vice President Annette Lu. Because of this, the Bush administration requested Shaheen’s resignation. Shaheen contends she had full permission to formally congratulate Chen and Lu and did not have constraints on how to do it. Something seemed amiss, and she received no explanation.

Soon after Shaheen left the government, it was also revealed to her that the head of Taipei Economic and Cultural Representative Office (TECRO), the equivalent of Taiwan’s ambassador to the U.S., had been working on behalf of the KMT. He was also fired. This disclosure was made to Shaheen by a special emissary from the DPP, who came to the United States to inform her and offer sincere apologies. The dismissed representative from TECRO was someone upon whom Shaheen and many others in Washington had relied for information on Taiwan. This individual was working contrary to the views of the Chen administration, and as a result may have undermined Taiwanese relations with the U.S.

During her tenure as AIT Chairman, Shaheen earned the ire of some of the CCP-aligned members of the KMT and the CCP itself. Moreover, since Shaheen’s departure from the USG, she has written multiple articles for the National Review and for the Wall Street Journal that have been harshly critical of the CCP and Chinese President Xi Jinping. But her stance would come at a cost. Malicious actors, likely connected to the CCP, would lie-in-wait, planning and preparing to enact revenge, and when they struck, she found herself at the tip of a new spear in the cyber warfare arsenal. Over the next several years, these tactics would put her and her family through hell.

The Predator

According to an old Chinese folktale, there was once a street entertainer who earned a lot of money with his dancing monkey. One day, when the monkey refused to dance, the entertainer killed a live chicken in front of the monkey and the monkey resumed dancing. Thus the idiom, “kill the chicken to scare the monkey.”

Shaheen first noticed disturbances in her personal home network and devices in 2008. The disruptions were minor glitches on her home laptops, voices being heard in the background on phone calls with friends, but nothing too out of the ordinary to raise any serious concerns. Then her credit card was used to buy spyware which was installed on her computers at home. She would have a conversation on the phone with a friend and then get a text from an unknown number with the details of the conversation. After 2012, Shaheen’s family credit cards were used so many times to buy spyware that temporary cards had to be used at all times. Up to 40 computers were purchased but ultimately were stored away as they became immediately infected once connected to their home network. More than 25 phones were purchased until they were given up for disposable ones, as the smart phones were constantly being hacked and manipulated.

Multiple fake social media accounts were opened in her name and passwords were constantly being changed while almost all her accounts were hacked. She was texted photos of her own library card after visits to the library. Her home security system was re-wired to only send “test” alarms when tripped, and she became concerned people were breaking into her home when they were away. On a few occasions they found notes, written in Chinese, on her daughter's laptop when she was only in grade school. There was a concerted effort to drive a wedge between her and her associates by trying to plant evidence of events and conversations that Shaheen knew were not true.

When a Wall Street Journal reporter wrote an article on Shaheen in 2020 documenting these cyber attacks by unknown Internet Service Provider (ISP) addresses, they found a website selling bras named after the former diplomat. Her former employees and their spouses were hacked, and pornographic material was uploaded to their computer. Over the next five years, Shaheen would hire five separate cyber-security firms and spend well over a million dollars to get any relief from these cyber attacks.

It does not appear these attacks were focused on ascertaining private information for the sake of espionage or fraud. Rather, these attacks seemed intimate, a personal vendetta meant to disrupt Shaheen's life - and it worked. Shaheen talks openly about the mental and emotional toll these attacks had on her and her family. Early on, the attacks were so random and dispersed that when she told friends and family they thought she was exaggerating or imagining things. Initially, it was hard for people to believe it was happening because they couldn’t see it happening. At times, the attacks seemed ambiguous and possibly coming from someone close to her, but as time passed, it became clear that the attacks were not proximal and the ambiguity seemed to the point - to confuse, misdirect, contradict - to gaslight. On a cruise vacation, she became so concerned with the safety of her family that she took a panic button to alert authorities if any of them were attacked. At one point, Shaheen’s doctor diagnosed her with Post-Traumatic Stress (PTS).

The Remedy

In March of 2016, Shaheen hired a new small cyber-counterintelligence consulting company based in the Washington DC area. The company was composed of former counterintelligence and cyber investigators from the U.S. Air Force Office of Special Investigations, as well as intelligence specialists from the U.S. intelligence community. The company was recommended to Shaheen because of their experience investigating national security cyber intrusion activities. The team created an investigative plan that focused on counterintelligence objectives rather than traditional cyber security practices. The difference is that cyber security generally looks for malware and forensic examination of a compromised system. Counterintelligence looks for the “why” and the “who” and for ways to neutralize the overarching operation.

Using proven techniques from their time protecting the U.S. Air Force, the investigators deployed a passive tap to monitor activities on Shaheen’s home network, laptop, mobile phone, and home router. Investigators were quickly able to identify unauthorized login activity into Shaheen’s personal and work email and cloud accounts.

According to the investigative plan, identification of the infrastructure being used by the attackers was a priority. Once identified, the investigators began taking steps to bring down the operation. Investigators performed research into an identified internet service provider (ISP) which was hosting internet protocol (IP) addresses involved in the unauthorized logins. The ISP’s website indicated their headquarter office was located in Tennessee, yet the company did not have a business license in Tennessee. The main office was determined to be a virtual office. The virtual office management company, when interviewed, indicated they had never personally met the supposed owners of the ISP. Investigators traveled to multiple locations across the US in an attempt to identify owners of the rogue ISP.

Upon further investigation, the ISP was determined to be fake. The company’s website was fictitious, even including fake bios for company staff. There was no way to actually purchase services, either online or by phone. Yet, the ISP was somehow in control of nearly 750,000 IP addresses around the world through a series of fake subsidiaries, cut-outs, and go-betweens. It was estimated that the ISP was in control of over $4 million worth of IPs and domains. It was essentially a very expensive global attack infrastructure.

Eventually investigators uncovered an original company incorporation document with a signature from the real owner. The culprit had made a mistake - instead of using a registered agent, they had used their real name. Hundreds of documents were analyzed, but it only took one to break the case.

The investigators began working with federal law enforcement on their findings. After several years of investigation, intelligence gathering, and coordination with the Federal Bureau of Investigations (FBI) and Department of Homeland Security (DHS), the investigators supporting Shaheen were able to have the entire attack infrastructure taken down. The IPs were issued to the fake ISP by American Registry for Internet Numbers (ARIN), which is the gatekeeper for internet addresses. Once ARIN was informed that the company was fraudulent, they revoked all of the IPs. In one fell swoop, the attack infrastructure was taken down, years of building up the capability to launch attacks from around the world were neutralized, and the attacks against Shaheen ceased and have not returned.

While there is rarely a “smoking gun” when conducting these types of investigations, the professionals who ultimately ended the attacks against Shaheen said that it is “highly likely this originated from China” and that “the evidence points to actors within the CCP.”

Shaheen is not alone. Other critics of the CCP and high-level diplomats within the USG have experienced similar attacks, in what are known as Advanced Persistent Threats (APT). The New York Times has covered APTs used against a New Zealand professor named Anne Marie Brady, including cyber-gaslighting and physical break-ins to her home. According to the counterintelligence firm interviewed for this case study, from 2010-2015, the personal email accounts of top American security and trade officials had been compromised in a Chinese cyber espionage operation. The email espionage operation had attacked and taken information from over 600 American official targets. Due to security reasons, the names of those compromised officials were not revealed.

Following the successful takedown of the attack infrastructure being used by the attacker, Shaheen has seen attempts from fake social media accounts, originating from China, to either follow her or to discredit her online. This is now the front-line of the continued gaslighting happening against the former diplomat who became a target of the CCP.

For U.S. government personnel on the political and diplomatic front lines with China, and other malicious actors, it is important to remain vigilant as our personal space is usually the least protected.

Note: Results of the investigation are here.
* The CI firm is not mentioned at their request and as part of their culture of being silent sentinels.