A new report by technology firm Crowdstrike has exposed how China engaged in a coordinated hacking operation involving intelligence officers, underground hackers, security researchers, and staff at foreign companies whom they recruited, in order to fulfill its development goals.
After looking over several Department of Justice indictments from August 2017 to October 2018, Crowdstrike concluded that the Jiangsu Province bureau of China’s Ministry of State Security (MSS)—the country’s chief intelligence agency—orchestrated the elaborate plan to steal aviation technology.
Aircraft Engine
The persistent hacking during the six-year period allowed state-owned Aero Engine Corporation of China (AECC)—which was established in August 2016 with funding from Comac and the state-owned Aviation Industry Corporation of China (AVIC) as main shareholders—to domestically manufacture an airplane engine for the C919, likely based on stolen technology, according to Crowdstrike.China took a two-prong approach: it contracted a foreign company to supply an engine for the C919, while simultaneously building one itself. In December 2009, Comac signed a deal with CFM International, for the latter to produce the LEAP-1C engine, a variant of CFM’s existing LEAP-X, to power the C919. CFM is a joint venture between General Electric’s subsidiary GE Aviation and Safran.
At the same time, China’s State-owned Assets Supervision and Administration Commission tasked both Comac and AVIC with developing an “indigenously created” turbofan engine.
AECC ultimately produced the CJ-1000AX engine—which closely resembles both the LEAP-X and LEAP-1C engines.
“It is assessed with high confidence that the MSS [China’s Ministry of State Security] was ultimately tasked with targeting firms that had technologies pertaining to the LEAP-X engine and other components of the C919,” the report stated.
“It is highly likely that its [Chinese engine] makers benefited significantly from the cyber espionage efforts of the MSS … knocking several years (and potentially billions of dollars) off of its development time,” the report concluded.
To support its claim, Crowdstrike pointed out that Capstone Turbine, a C919 supplier, was hacked in January 2010, a month after CFM was selected as the plane’s engine provider.
China’s Ministry of State Security
An October 2018 federal indictment charged 10 actors for trying to steal know-how for making turbofan engines: two officers at the Jiangsu bureau of MSS (known as JSSD), five computer hackers, a malware developer operating at the direction of JSSD, and two Chinese employees at a French aerospace manufacturer’s office in Suzhou, a city in Jiangsu Province.The cyber firm concluded that they were all part of the same scheme: Xu was tasked with recruiting Chinese nationals living overseas. And he successfully recruited at least three: Zheng, who was a former engineer at GE; Ji, who provided assessments on top talents in the aviation industry for potential recruitment by the Chinese regime; and Tian Xi, one of the two Chinese employees at the French firm who was indicted in the October 2018 case. Crowdstrike determined that the French manufacturer was Safran.
“What makes these DoJ [Department of Justice] cases so fascinating is that, when looked at as a whole, they illustrate the broad, but coordinated efforts the JSSD took to collect information from its aerospace targets,” the report stated.
The JSSD recruited hackers from local hacking circles to carry out the actual intrusions against company networks, including by deploying malware such as PlugX, Winnti, and Sakula—the latter developed by security researcher Yu Pingnan.
Crowdstrike said that though some involved in the scheme have been arrested, other operators of the group are likely to never see a jail cell.
What’s more, these arrests will “ultimately not deter Beijing from mounting other significant cyber campaigns designed to achieve leapfrog development in areas they perceive to be of strategic importance,” it concluded.
