Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Chinese Hackers Targeted International Aerospace Firms for Years

Chinese state-sponsored hackers conducted cyber-espionage operations targeting various aerospace-related firms for years in an effort to help the county’s advancements in this sector, Crowdstrike reports.

Chinese state-sponsored hackers conducted cyber-espionage operations targeting various aerospace-related firms for years in an effort to help the county’s advancements in this sector, Crowdstrike reports.

The identified hacking operation started in January 2010, just after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) announced it had selected U.S.-based CFM International to provide a custom engine — the LEAP-1C, which is based on the LEAP-X engine — for its C919 aircraft.

According to Crowdstrike, the CJ-1000AX engine produced by the Aero Engine Corporation of China (AECC) bears multiple similarities to the LEAP-1C, which suggests that it benefited from the cyber espionage efforts of China’s Ministry of State Security (MSS).

In a new report (PDF), Crowdstrike’s security researchers explain how a mixture of cyber actors helped China fill technology and intelligence gaps that eventually resulted in significant advancements in the production of dual-use turbine engines.

“Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs,” the report reveals.

These cyber-espionage operations remained active until 2015, and the main culprit is believed to be the Jiangsu Bureau of the MSS (JSSD), which the United States Department of Justice has mentioned in several indictments. Crowdstrike tracks the activity as TURBINE PANDA.

International aerospace firms such as Honeywell, Safran, and several others were targeted. Malware used in these operations included PlugX and Winnti, already known to be favored by Chinese threat actors, along with Sakula, a malware family believed to be unique to the group.

Advertisement. Scroll to continue reading.

While investigating the incidents, Crowdstrike was able to identify a traditional human-intelligence (HUMINT) element in the espionage operations against aerospace targets. The security firm appears to have first exposed this element in February 2014, which resulted in the deletion of a domain associated with the cyber-operation.

One of the involved individuals, JSSD Intelligence Officer Xu Yanjun, supposedly the Deputy Division Director of the Sixth Bureau of the JSSD in charge of Insider Threats, is believed to have recruited a Safran Suzhou insider named Tian Xi in November 2013.

The insider was handed a USB drive with the Sakula malware on it, and installed the malicious program on Safran’s networks in January 2014.

Xu Yanjun, two of his insiders, and Sakula developer Yu Pingan have been arrested, but that is believed to have little impact on China’s other cyber-campaigns in areas of strategic importance.

“Though XU’s arrest in particular was likely a massive boon to U.S. intelligence given he was the first MSS officer (not simply an asset) known to be arrested, China has not ceased cyber operations even after incidents tying GOTHIC PANDA and STONE PANDA to the MSS were exposed publicly,” Crowdstrike notes.

In fact, the security firm suggests that other cyber-operators involved in the TURBINE PANDA operations will never be jailed for their actions. In fact, following Yu’s arrest in 2017 after he attended a security conference in the U.S., the MSS barred China’s security researchers from participating in overseas conferences or Capture the Flag competitions.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike notes.

Related: The United States and China – A Different Kind of Cyberwar

Related: China-Linked ‘Thrip’ Cyberspies Continue Attacks on Southeast Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...