Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/14/2019
05:18 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Cyber Theft, Humint Helped China Cut Corners on Passenger Jet

Beijing likely saved a lot of time and billions of dollars by copying components for its C919 plane from others, a new report from CrowdStrike says.

When China's domestically built C919 airplane becomes commercially available sometime in the next few years, many of the components in the plane will be based on designs and intellectual property that were likely copied from other manufacturers around the world.

That assessment from CrowdStrike is based on information pieced together from multiple recent US Department of Justice indictments and from the security vendor's own tracking of Turbine Panda, a China government-backed cyber espionage group that has been targeting aerospace companies since 2010.

The narrow-body C919 twinjet airliner is China's first homemade commercial jet and represents part of a broader "Made in China 2025" initiative that is designed to make the country self-reliant in several key industries. The plane completed its maiden voyage in 2017 and is expected to hit the market at about half the cost of competitive products from the Western aerospace duopoly of Boeing and Airbus.

At least some of that will be because Turbine Panda and several other operatives helped its manufacturer — the Commercial Aircraft Corporation of China (COMAC) and the Aviation Industry Corporation of China (AVIC) — cut corners.

China is not unique in targeting aerospace companies in the US and elsewhere. Adam Meyers, vice president of intelligence at CrowdStrike, says his firm is currently tracking 40 active threat groups targeting the sector including those from China, Russia, India, Iran, and North Korea.

"This is a complex problem," to address he says. Campaigns involving theft of IP and trade secrets can involve cyber operations, human intelligence, and support from national level intelligence services. "There is no easy short answer," Meyer says. "It needs to be addressed across public and private sector stakeholders."

According to CrowdStrike, its own intelligence and information in US DOJ indictments against key Chinese operatives in 2017 and 2018 suggest that one area where China appears to have especially benefited from outside IP is the C919's engine.

Soon after plans for the C919 were announced back in 2010, COMAC and AVIC were tasked with developing an indigenously built turbofan engine for the plane comparable to LEAP-X, an engine from GE Aviation and French aerospace company Safran. The resulting CJ-1000AX engine, which underwent formal tests last year, has multiple similarities to LEAP X, including in its dimensions and turbofan blades, CrowdStrike says.

"It is difficult to assess that the CJ-1000AX is a direct copy of the LEAP-X without direct access to technical engineering specifications," CrowdStrike said in a report this week stitching together the DOJ information and its own research.  But it is "highly likely" that its makers benefited significantly from Turbine Panda's cyber espionage efforts on behalf of the Jiangsu Bureau of China's Ministry of State Security (MSS), the vendor said.

The information that Turbine Panda and others collected from companies that have technologies pertaining to the LEAP-X engine has helped China knock off years in development time, and potentially billions of dollars in research in developing the CJ-1000AX engine, according to CrowdStrike.

Signs of Turbine Panda Activity

Signs of Turbine Panda's involvement go back to 2010 when China first announced plans for the C919 commercial jet. DOJ documents show soon after the announcement, Turbine Panda was involved in a cyberattack on Capstone Turbine, a Los Angeles-based gas turbine manufacturer. In a February 2014 blog, CrowdStrike then drew a connection between a Turbine Panda attack on French aerospace firm Safran and one against Capstone Turbine in 2012. The blog exposed some of Turbine Panda's operations prompting the group to take evasive action, says Meyers.

Between 2010 and 2015 Turbine Panda and others working for the Jiangsu Bureau of the MSS targeted a variety of aerospace-related organizations. Among those targeted were Honeywell, Ametek, and Safran. In many of the attacks, the China-based cyber operatives used the PlugX, Winnti, and Sakula remote-access Trojans to try and steal from victims, CrowdStrike said.

In addition to the cyber efforts, Beijing operatives were engaged in a massive human intelligence (aka humint) campaign focused on stealing information that could help with the C919 project. While one arm of China's intelligence apparatus identified key technology gaps in the C919 program, another focused on efforts to obtain those technologies via cyber and humint efforts, CrowdStrike said.

The human intelligence efforts included one by a now-indicted MSS intelligence officer to recruit an insider at LEAP-X manufacturer General Electric. The same officer also recruited a China-born US Army reservist who was an expert at assessing turbine engine schematics.

So far, at least four individuals have been arrested in connection with China's campaign targeting aerospace companies. Among them is Xu Yanjun, the MSS officer who was allegedly in charge of recruiting insiders at targeted aerospace firms, and Yu Pingan, the developer of the Sakula RAT who was arrested while attending a security conference in the US. Yu's arrest prompted the MSS to issue strict orders to security researchers in the country not to attend overseas conferences or Capture the Flag events, CrowdStrike reported.

Though Xu's arrest in particular is likely especially significant, it is unlikely to deter China's attempts to leap-frog development in technology areas the country perceives as being of strategic importance, CrowdStrike said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Murderers' Row of Poisoning Attacks."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.