A report published today shines a light on one of China’s most ambitious hacking operations known to date, one that involved Ministry of State Security officers, the country’s underground hacking scene, legitimate security researchers, and insiders at companies all over the world.
The aim of this hacking operation was to acquire intellectual property to narrow China’s technological gap in the aviation industry, and especially to help Comac, a Chinese state-owned aerospace manufacturer, build its own airliner, the C919 airplane, to compete with industry rivals like Airbus and Boening.
A Crowdstrike report published today shows how this coordinated multi-year hacking campaign systematically went after the foreign companies that supplied components for the C919 airplane.
The end goal, Crowdstrike claims, was to acquire the needed intellectual property to manufacture all of the C919’s components inside China.
Crowdstrike claims that the Ministry of State Security (MSS) tasked the Jiangsu Bureau (MSS JSSD) to carry out these attacks.
The Jiangsu Bureau, in turn, tasked two lead officers to coordinate these efforts. One was in charge of the actual hacking team, while the second was tasked with recruiting insiders working at aviation and aerospace companies.
The hacking team targeted companies between 2010 and 2015, and successfully breached C919 suppliers like Ametek, Honeywell, Safran, Capstone Turbine, GE, and others.
But unlike in other Chinese hacks, where China used cyber-operatives from military units, for these hacks, the MSS took another approach, recruiting local hackers and security researchers.
According to Crowdstrike and a Department of Justice indictment, responsible for carrying out the actual intrusions were hackers that the MSS JSSD recruited from China’s local underground hacking scene. Crowdstrike says that some of the team members had a shady history going back as far as 2004.
These hackers were tasked with finding a way inside target networks, where they’d usually deploy malware such as Sakula, PlugX, and Winnti, which they’d use to search for proprietary information and exfiltrate it to remote servers.
In the vast majority of cases, the hackers used a custom piece of malware that was specifically developed for these intrusions. Named Sakula, this malware was developed by a legitimate security researcher named Yu Pingan.
In the rare occasions when the hacking team couldn’t find a way inside a target, a second MSS JSSD officer would intervene and recruit a Chinese national working for the target company, and use him to plant Sakula on the victim’s network, usually via USB drives.
The group, which Crowdstrike said it tracked as Turbine Panda, was extremely successful. The US cyber-security firm points out that in 2016, after almost six years of non-stop hacking of foreign aviation companies, the Aero Engine Corporation of China (AECC) launched the CJ-1000AX engine, which was set to be used in the upcoming C919 airplane, and replace an engine that had been previously manufactured by a foreign contractor.
Industry reporting points out that the CJ-1000AX displays multiple similarities [1, 2] to the LEAP-1C and LEAP-X engines produced by CFM International, a joint venture between US-based GE Aviation and French aerospace firm Safran, and the foreign contractor that supplied turbine engines for the C919.
But while the MSS JSSD’s hacking efforts might have gone unnoticed, hackers made a mistake when they overstepped and went after targets a little too big — such as healthcare provider Anthem and the US Office of Personnel Management.
Those intrusions yielded a lot of useful information for recruiting future insiders, but they also brought the full attention of the US government bearing down on their operation. It didn’t take too long after that for the US to start piecing the puzzle together.
The first ones to go were the insiders since they were the easiest ones to track down and had no protection from the Chinese government since they were operating on foreign soil.
After that came Yu, the creator of the Sakula malware, who was arrested while attending at a security conference in Los Angeles, and subsequently charged for his involvement in the Anthem and OPM hacks.
Yu’s arrest triggered a massive ripple in China’s infosec scene. The Chinese government responded by prohibiting Chinese researchers from participating at foreign security conferences, fearing that US authorities might get their hands on other “assets.”
Initially, this seemed an odd thing to do, but a subsequent Recorded Future investigation showed how the MSS had deep ties to the Chinese cyber-security research scene, and how the agency was secretly hoarding and delaying vulnerabilities found by Chinese security researchers, many of which were being weaponized by its hackers before being publicly disclosed.
But the biggest hit to Turbine Panda came in late 2018 when western officials arrested Xu Yanjun, the MSS JSSD officer in charge of recruiting insiders at foreign companies.
The arrest of a high-ranking Chinese intelligence officer was the first of its kind, and the biggest intelligence asset transfer since the Cold War, besides Snowden’s flight to Russia. Now, US officials are hoping that Xu collaborates for a reduced sentence.
However, Crowdstrike points out that “the reality is that many of the other cyber operators that made up Turbine Panda operations will likely never see a jail cell.”
China has yet to extradite any citizen charged with cyber-related crimes.
Hackers have continued to target the aviation industry
In the meantime, Turbine Panda appears to have seized most of its operations, most likely crippled due to the arrests, but other Chinese cyber-espionage groups have taken over, such as Emissary Panda, Nightshade Panda, Sneaky Panda, Gothic Panda, Anchor Panda, and many more.
Attacks on foreign aviation firms are expected to continue for the foreseeable future, mainly because Comac’s C919 jet isn’t the success that the Chinese government expected (see 07:20 mark in the video below), and a fully Chinese airliner is still years away. Efforts are currently underway for building the airliner’s next iteration, the C929 model.
For years it’s been reported that China has been building its economical might on the back of other countries and its foreign competitors.
The full Crowdstrike report gives a glimpse at how China has been using hackers to do so, although they are not the only component.
The Beijing government itself has played even a bigger role. Historically, they’ve dangled carrots in the face of foreign companies, promising access to China’s booming internal market. Foreign companies have seen themselves forced into joint ventures, only to be forced out later by their former partners after local companies grew with the help of state subsidies and the know-how acquired from the partnership.
In this process, Chinese hackers often helped with “forced technology transfer,” breaching business partners and stealing their intellectual property, allowing the Chinese state-owned companies to put out high-end competing products in record time and at very low prices.
And in all of this, the aviation industry has been only one part of the puzzle. Similar hacking efforts have also targeted many other industry verticals, from the maritime industry to hardware manufacturing, and from academic research to biotechnology.