Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Targeted International Aerospace Firms for Years

Chinese state-sponsored hackers conducted cyber-espionage operations targeting various aerospace-related firms for years in an effort to help the county’s advancements in this sector, Crowdstrike reports.

Chinese state-sponsored hackers conducted cyber-espionage operations targeting various aerospace-related firms for years in an effort to help the county’s advancements in this sector, Crowdstrike reports.

The identified hacking operation started in January 2010, just after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) announced it had selected U.S.-based CFM International to provide a custom engine — the LEAP-1C, which is based on the LEAP-X engine — for its C919 aircraft.

According to Crowdstrike, the CJ-1000AX engine produced by the Aero Engine Corporation of China (AECC) bears multiple similarities to the LEAP-1C, which suggests that it benefited from the cyber espionage efforts of China’s Ministry of State Security (MSS).

In a new report (PDF), Crowdstrike’s security researchers explain how a mixture of cyber actors helped China fill technology and intelligence gaps that eventually resulted in significant advancements in the production of dual-use turbine engines.

“Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs,” the report reveals.

These cyber-espionage operations remained active until 2015, and the main culprit is believed to be the Jiangsu Bureau of the MSS (JSSD), which the United States Department of Justice has mentioned in several indictments. Crowdstrike tracks the activity as TURBINE PANDA.

International aerospace firms such as Honeywell, Safran, and several others were targeted. Malware used in these operations included PlugX and Winnti, already known to be favored by Chinese threat actors, along with Sakula, a malware family believed to be unique to the group.

While investigating the incidents, Crowdstrike was able to identify a traditional human-intelligence (HUMINT) element in the espionage operations against aerospace targets. The security firm appears to have first exposed this element in February 2014, which resulted in the deletion of a domain associated with the cyber-operation.

One of the involved individuals, JSSD Intelligence Officer Xu Yanjun, supposedly the Deputy Division Director of the Sixth Bureau of the JSSD in charge of Insider Threats, is believed to have recruited a Safran Suzhou insider named Tian Xi in November 2013.

The insider was handed a USB drive with the Sakula malware on it, and installed the malicious program on Safran’s networks in January 2014.

Xu Yanjun, two of his insiders, and Sakula developer Yu Pingan have been arrested, but that is believed to have little impact on China’s other cyber-campaigns in areas of strategic importance.

“Though XU’s arrest in particular was likely a massive boon to U.S. intelligence given he was the first MSS officer (not simply an asset) known to be arrested, China has not ceased cyber operations even after incidents tying GOTHIC PANDA and STONE PANDA to the MSS were exposed publicly,” Crowdstrike notes.

In fact, the security firm suggests that other cyber-operators involved in the TURBINE PANDA operations will never be jailed for their actions. In fact, following Yu’s arrest in 2017 after he attended a security conference in the U.S., the MSS barred China’s security researchers from participating in overseas conferences or Capture the Flag competitions.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike notes.

Related: The United States and China – A Different Kind of Cyberwar

Related: China-Linked ‘Thrip’ Cyberspies Continue Attacks on Southeast Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...