A new report by technology firm Crowdstrike has exposed how China engaged in a coordinated hacking operation involving intelligence officers, underground hackers, security researchers, and staff at foreign companies whom they recruited, in order to fulfill its development goals.
After looking over several Department of Justice indictments from August 2017 to October 2018, Crowdstrike concluded that the Jiangsu Province bureau of China’s Ministry of State Security (MSS)—the country’s chief intelligence agency—orchestrated the elaborate plan to steal aviation technology.
From 2010 to 2015, the group—which Crowdstrike nicknamed Turbine Panda—successfully breached several American firms, including Ametek, Honeywell, General Electric (GE), and Capstone Turbine, as well as French firm Safran, according to the report.
All of them were component suppliers to China’s state-owned aerospace manufacturer Comac, which manufactured China’s first domestically-built narrow-body twinjet airliner C919. The plane made its debut flight in Shanghai in May 2017.
The persistent hacking during the six-year period allowed state-owned Aero Engine Corporation of China (AECC)—which was established in August 2016 with funding from Comac and the state-owned Aviation Industry Corporation of China (AVIC) as main shareholders—to domestically manufacture an airplane engine for the C919, likely based on stolen technology, according to Crowdstrike.
China took a two-prong approach: it contracted a foreign company to supply an engine for the C919, while simultaneously building one itself. In December 2009, Comac signed a deal with CFM International, for the latter to produce the LEAP-1C engine, a variant of CFM’s existing LEAP-X, to power the C919. CFM is a joint venture between General Electric’s subsidiary GE Aviation and Safran.
At the same time, China’s State-owned Assets Supervision and Administration Commission tasked both Comac and AVIC with developing an “indigenously created” turbofan engine.
AECC ultimately produced the CJ-1000AX engine—which closely resembles both the LEAP-X and LEAP-1C engines.
“It is assessed with high confidence that the MSS [China’s Ministry of State Security] was ultimately tasked with targeting firms that had technologies pertaining to the LEAP-X engine and other components of the C919,” the report stated.
“It is highly likely that its [Chinese engine] makers benefited significantly from the cyber espionage efforts of the MSS … knocking several years (and potentially billions of dollars) off of its development time,” the report concluded.
To support its claim, Crowdstrike pointed out that Capstone Turbine, a C919 supplier, was hacked in January 2010, a month after CFM was selected as the plane’s engine provider.
According to aviation website FlightGlobal, the CJ-1000AX is expected to enter into service after 2021. So the C919 is only powered by the LEAP-1C for the time being.
The aviation and aerospace industries are among a list of sectors that Beijing has named as “Strategic Emerging Industries” in economic plans such as Made in China 2025 and “13th Five Year Plan” (2016-2020), which outline how China can supplant global competitors in high-tech manufacturing sectors.
China’s Ministry of State Security
An October 2018 federal indictment charged 10 actors for trying to steal know-how for making turbofan engines: two officers at the Jiangsu bureau of MSS (known as JSSD), five computer hackers, a malware developer operating at the direction of JSSD, and two Chinese employees at a French aerospace manufacturer’s office in Suzhou, a city in Jiangsu Province.
Crowdstrike’s analysis led it to conclude that the indictment was related to three other cases: a JSSD officer named Xu Yanjun, who was arrested in Belgium and extradited to the United States in October 2018; Zheng Xiaoqing, who was indicted in April 2019 for alleged theft of GE’s turbine technologies; and Ji Chaoqun, a former U.S. Army Reserves officer charged with covertly working for the JSSD. Xu was charged with attempting to steal aviation secrets from foreign companies, including GE Aviation.
The cyber firm concluded that they were all part of the same scheme: Xu was tasked with recruiting Chinese nationals living overseas. And he successfully recruited at least three: Zheng, who was a former engineer at GE; Ji, who provided assessments on top talents in the aviation industry for potential recruitment by the Chinese regime; and Tian Xi, one of the two Chinese employees at the French firm who was indicted in the October 2018 case. Crowdstrike determined that the French manufacturer was Safran.
Xu gave Tian a USB drive with Sakula malware on it, so that Tian could use the USB to infect the networks in Safran’s Suzhou office, according to the indictment and Crowdstrike’s analysis.
“What makes these DoJ [Department of Justice] cases so fascinating is that, when looked at as a whole, they illustrate the broad, but coordinated efforts the JSSD took to collect information from its aerospace targets,” the report stated.
The JSSD recruited hackers from local hacking circles to carry out the actual intrusions against company networks, including by deploying malware such as PlugX, Winnti, and Sakula—the latter developed by security researcher Yu Pingnan.
In August 2017 while visiting the United States, Yu was arrested in Los Angeles on a charge of conspiring with others to hack the U.S. Office of Personnel Management, according to Reuters. The attack compromised data belonging to more than 22 million federal workers.
Crowdstrike said that though some involved in the scheme have been arrested, other operators of the group are likely to never see a jail cell.
What’s more, these arrests will “ultimately not deter Beijing from mounting other significant cyber campaigns designed to achieve leapfrog development in areas they perceive to be of strategic importance,” it concluded.