Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Hackers Targeted International Aerospace Firms for Years

Chinese state-sponsored hackers conducted cyber-espionage operations targeting various aerospace-related firms for years in an effort to help the county’s advancements in this sector, Crowdstrike reports.

Chinese state-sponsored hackers conducted cyber-espionage operations targeting various aerospace-related firms for years in an effort to help the county’s advancements in this sector, Crowdstrike reports.

The identified hacking operation started in January 2010, just after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) announced it had selected U.S.-based CFM International to provide a custom engine — the LEAP-1C, which is based on the LEAP-X engine — for its C919 aircraft.

According to Crowdstrike, the CJ-1000AX engine produced by the Aero Engine Corporation of China (AECC) bears multiple similarities to the LEAP-1C, which suggests that it benefited from the cyber espionage efforts of China’s Ministry of State Security (MSS).

In a new report (PDF), Crowdstrike’s security researchers explain how a mixture of cyber actors helped China fill technology and intelligence gaps that eventually resulted in significant advancements in the production of dual-use turbine engines.

“Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs,” the report reveals.

These cyber-espionage operations remained active until 2015, and the main culprit is believed to be the Jiangsu Bureau of the MSS (JSSD), which the United States Department of Justice has mentioned in several indictments. Crowdstrike tracks the activity as TURBINE PANDA.

International aerospace firms such as Honeywell, Safran, and several others were targeted. Malware used in these operations included PlugX and Winnti, already known to be favored by Chinese threat actors, along with Sakula, a malware family believed to be unique to the group.

While investigating the incidents, Crowdstrike was able to identify a traditional human-intelligence (HUMINT) element in the espionage operations against aerospace targets. The security firm appears to have first exposed this element in February 2014, which resulted in the deletion of a domain associated with the cyber-operation.

Advertisement. Scroll to continue reading.

One of the involved individuals, JSSD Intelligence Officer Xu Yanjun, supposedly the Deputy Division Director of the Sixth Bureau of the JSSD in charge of Insider Threats, is believed to have recruited a Safran Suzhou insider named Tian Xi in November 2013.

The insider was handed a USB drive with the Sakula malware on it, and installed the malicious program on Safran’s networks in January 2014.

Xu Yanjun, two of his insiders, and Sakula developer Yu Pingan have been arrested, but that is believed to have little impact on China’s other cyber-campaigns in areas of strategic importance.

“Though XU’s arrest in particular was likely a massive boon to U.S. intelligence given he was the first MSS officer (not simply an asset) known to be arrested, China has not ceased cyber operations even after incidents tying GOTHIC PANDA and STONE PANDA to the MSS were exposed publicly,” Crowdstrike notes.

In fact, the security firm suggests that other cyber-operators involved in the TURBINE PANDA operations will never be jailed for their actions. In fact, following Yu’s arrest in 2017 after he attended a security conference in the U.S., the MSS barred China’s security researchers from participating in overseas conferences or Capture the Flag competitions.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike notes.

Related: The United States and China – A Different Kind of Cyberwar

Related: China-Linked ‘Thrip’ Cyberspies Continue Attacks on Southeast Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...