Within a month, a Chinese provincial intelligence branch has been implicated in three U.S. cases of stealing American technologies, with the most recent case involving espionage to acquire know-how for making turbofan engines used in commercial airliners.
The alleged culprit is the Jiangsu Province Ministry of State Security (JSSD), a branch of China’s Ministry of State Security (MSS), which is responsible for counterintelligence, foreign intelligence, and political security.
According to a U.S. indictment released by the Department of Justice on Oct. 30, JSSD officers, Zha Rong and Chai Meng, a division director and a section chief, respectively, led a scheme to steal turbofan-engine designs being developed through a partnership between a French aerospace manufacturer and an U.S.-based aerospace company.
Eight others were charged in the conspiracy, including five computer hackers and malware developers who operated at the direction of the JSSD. Two others are Chinese employees who worked at the French company’s office in Suzhou City, Jiangsu Province, as company information-technology manager and product manager.
The 10th person charged was Li Xiao, a computer hacker who used JSSD-supplied malware to carry out a separate hack on a San Diego-based technology company.
The JSSD officers targeted more than a dozen companies—mostly in the aerospace industry—but only Capstone Turbine Corporation, a Los Angeles-based gas turbine manufacturer, was identified by name. Other companies, including a Massachusetts-based aerospace company, and two aerospace suppliers in Arizona and Oregon, manufactured parts for turbofan engines.
The 10 people are charged with conspiring to steal sensitive data “that could be used by Chinese entities to build the same or similar engine without incurring substantial research and development expenses,” the indictment said.
At the time of the hacks, which took place from January 2010 through May 2015, a Chinese-state owned aerospace company was trying to develop a comparable engine for use in aircraft to be manufactured in China and other countries.
While Chinese-made jets, including the C919 and ARJ21, currently use foreign engines, the country has been seeking to develop a competitive homegrown alternative.
“State-sponsored hacking is a direct threat to our national security. This action is yet another example of criminal efforts by the MSS to facilitate the theft of private data for China’s commercial gain,” U.S. Attorney Adam Braverman said in a Justice Department press release.
“The concerted effort to steal, rather than simply purchase, commercially available products should offend every company that invests talent, energy, and shareholder money into the development of products,” he added.
John Brown, FBI special agent in charge of the San Diego field office, vowed that Chinese criminals would be held “accountable regardless of their attempts to hide their illicit activities and identities.”
The indictment detailed the tactics deployed by the 10 defendants. To hide the source and destination of their online traffic, defendants used unidentified software and leased servers to avoid detection.
They deployed many different tactics to hack the data, such as spear phishing, malware, and using dynamic domain name service (DNS) accounts. DNS allows users to register different website domain names under a single account and frequently change the internet protocol (IP) address assigned to a domain name.
Spear phishing sends emails embedded with malware. Two types of malware, Sakula and IsSpace, were used by the defendants, to access the email recipients’ computers. They would send fictitious emails containing website links that closely resemble legitimate ones, also known doppelganger domain names. After someone clicks on the link, a hacker can gain access.
The hackers also installed malware on the targeted companies’ web pages, known as watering-hole attacks, which provide defendants with a way to hack computers that have visited the web pages.
In January 2014, JSSD officer Chai got access to the French manufacturer by sending fake emails to employees at the company, pretending to be from the company’s network manager. Later that same month, one of the indicted employees at the French company, Tian Xi, installed Sakula malware by inserting a USB drive, which was provided by an unidentified JSSD officer, onto a computer at the French company’s Suzhou office.
The case will be prosecuted in Southern California, according to the Justice Department press release.
Earlier, U.S. federal authorities announced two other cases of espionage involving JSSD officers.
In early October, Xu Yangjun, a JSSD intelligence officer, was extradited to the United States from Belgium, to face charges that he attempted to steal trade secrets related to aircraft jet engines. Xu will now face trial in federal court in Cincinnati.
Ji Chaoqun, a Chinese citizen who came to the United States in 2013 and enlisted in the U.S. Army Reserves in 2016, was arrested in Chicago in late September, on charges that he had covertly worked for a Chinese intelligence official from JSSD. Ji tried to recruit engineers and scientists in the United States to work for China.
Reuters contributed to this report.