Chinese Hackers Targeted International Aerospace Firms for Years

Chinese state-sponsored hackers conducted cyber-espionage operations targeting various aerospace-related firms for years in an effort to help the county’s advancements in this sector, Crowdstrike reports.

The identified hacking operation started in January 2010, just after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) announced it had selected U.S.-based CFM International to provide a custom engine — the LEAP-1C, which is based on the LEAP-X engine — for its C919 aircraft.

According to Crowdstrike, the CJ-1000AX engine produced by the Aero Engine Corporation of China (AECC) bears multiple similarities to the LEAP-1C, which suggests that it benefited from the cyber espionage efforts of China’s Ministry of State Security (MSS).

In a new report (PDF), Crowdstrike’s security researchers explain how a mixture of cyber actors helped China fill technology and intelligence gaps that eventually resulted in significant advancements in the production of dual-use turbine engines.

“Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs,” the report reveals.

These cyber-espionage operations remained active until 2015, and the main culprit is believed to be the Jiangsu Bureau of the MSS (JSSD), which the United States Department of Justice has mentioned in several indictments. Crowdstrike tracks the activity as TURBINE PANDA.

International aerospace firms such as Honeywell, Safran, and several others were targeted. Malware used in these operations included PlugX and Winnti, already known to be favored by Chinese threat actors, along with Sakula, a malware family believed to be unique to the group.

While investigating the incidents, Crowdstrike was able to identify a traditional human-intelligence (HUMINT) element in the espionage operations against aerospace targets. The security firm appears to have first exposed this element in February 2014, which resulted in the deletion of a domain associated with the cyber-operation.

One of the involved individuals, JSSD Intelligence Officer Xu Yanjun, supposedly the Deputy Division Director of the Sixth Bureau of the JSSD in charge of Insider Threats, is believed to have recruited a Safran Suzhou insider named Tian Xi in November 2013.

The insider was handed a USB drive with the Sakula malware on it, and installed the malicious program on Safran’s networks in January 2014.

Xu Yanjun, two of his insiders, and Sakula developer Yu Pingan have been arrested, but that is believed to have little impact on China’s other cyber-campaigns in areas of strategic importance.

“Though XU’s arrest in particular was likely a massive boon to U.S. intelligence given he was the first MSS officer (not simply an asset) known to be arrested, China has not ceased cyber operations even after incidents tying GOTHIC PANDA and STONE PANDA to the MSS were exposed publicly,” Crowdstrike notes.

In fact, the security firm suggests that other cyber-operators involved in the TURBINE PANDA operations will never be jailed for their actions. In fact, following Yu’s arrest in 2017 after he attended a security conference in the U.S., the MSS barred China’s security researchers from participating in overseas conferences or Capture the Flag competitions.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike notes.

Related: The United States and China – A Different Kind of Cyberwar

Related: China-Linked ‘Thrip’ Cyberspies Continue Attacks on Southeast Asia