Chinese government hackers working with the country’s traditional spies and agencies plotted and stole U.S. and European aircraft engine secrets to help Beijing leapfrog over its Western competitors in developing a domestic commercial aircraft industry, according to researchers at the cybersecurity protection firm CrowdStrike.
“Beijing used a mixture of cyber actors sourced from China’s underground hacking scene, Ministry of State Security or MSS officers, company insiders, and state directives to fill key technology and intelligence gaps in a bid to bolster dual-use turbine engines which could be used for both energy generation and to enable its narrow-body twinjet airliner, the C919, to compete against Western aerospace firms,” CrowdStrike said in a report released Monday evening.
The MSS Jiangsu Bureau, China’s intelligence and security agency responsible for counterintelligence, foreign intelligence and political security, also has been tied to the 2015 hack of the U.S. Office of Personnel Management that led to the theft of highly confidential information on more than 20 million U.S. government employees.
While the U.S. Justice Department and the FBI already have indicted several key Chinese participants in the hacking and espionage schemes — and has arrested a few of them — the report presents a fuller picture of how all those Chinese hackers worked in concert to steal Western secrets.
CrowdStrike said it combined its own intelligence reporting with details gleaned from Justice Department indictments to piece together how “Beijing uses a multi-faceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs.”
Beijing’s efforts to challenge Boeing and Airbus in commercial aircraft manufacturing began in the mid-2000s when the country’s economic planning agencies forecast that China would become the world’s largest aviation market by 2022.
In 2009, the state-owned Commercial Aircraft Corporation of China, or Comac, struck a deal with CFM International — a joint venture between U.S.-based General Electric’s aviation business and the French aerospace company Safran that was developing a new commercial aircraft engine called Leap-X. The deal called for CFM to develop a variant of the engine for China’s C919 aircraft, a model that was intended to challenge the Boeing 737 and Airbus 320, the workhorses of worldwide passenger aviation.
Soon after the deal was struck, Comac likely tasked the Chinese intelligence unit, MSS, with targeting firms that possessed technologies key to the aircraft engine development, and the companies were in turn hacked by MSS, CrowdStrike said in its report.
In January 2010, a month after Comac and CFM entered into an agreement to develop a new engine, MSS targeted Los Angeles-based Capstone Turbine, a gas turbine manufacturer, according to the Justice Department and CrowdStrike. CrowdStrike has labeled the coordinated hacking of aircraft engine-makers by China as “Turbine Panda.”
From 2010 through 2015, the hackers also targeted several other aerospace firms including Ametek, Honeywell and Safran using malware that is unique to the MSS operatives, CrowdStrike said. The group also may have borrowed hacking tools deployed by a group called the Syrian Electronic Army that first emerged online in 2011 to support Syrian President Bashar al Assad and attack his opponents, the report said.
Overseen by Beijing
Yanjun Xu, a deputy director at MSS who goes by the name Zhang Hui, oversaw the hacking and technology theft effort, and also oversaw a human spying operation, CrowdStrike said. He likely helped recruit a Chinese-born employee of GE’s aviation engine unit as well as a U.S. Army reservist who had entered the United States as a student from China, according to the Justice Department and CrowdStrike. The Army reservist, Ji Chaoqun, was arrested in Chicago in September 2018.
In October 2018, the Justice Department announced that Xu was arrested in Belgium and extradited to the United States to face charges of economic espionage and theft of trade secrets.
Before the Justice Department indictment and arrest of Xu, CrowdStrike said its own intelligence gathering and cyber sleuthing had shown as far back as 2014 that the hack of Capstone Turbine and targeting of Safran were likely carried out by the same hackers in Turbine Panda.
After CrowdStrike published its findings in a February 2014 blog post connecting the two hacks, the Justice Department indictment later revealed, Xu had asked his officers about a particular domain name being used to hack the French company. That domain name had been identified by CrowdStrike, the report said. Soon after Xu’s query, the domain name was deleted by a Safran employee working in the company’s offices in Suzhou, China, according to the Justice Department indictment.
That deletion showed that the Safran employee was potentially recruited as a Chinese spy, CrowdStrike said. Another Safran employee at the same Suzhou facility also recruited as a spy sometime in 2013 was given a USB drive with malware that he then installed on Safran’s computer networks, enabling MSS hackers to begin accessing the engine-maker’s data, CrowdStrike said.
The arrests of Xu and Ji are unlikely to deter “Beijing from mounting other significant cyber campaigns designed to achieve leapfrog development in areas they perceive to be of strategic importance,” CrowdStrike said in its report. “The reality is that many of the other cyber operators that made up Turbine Panda operations will likely never see a jail cell.”
CrowdStrike said its intelligence reporting indicates that MSS has issued a warning to its cybersecurity researchers and hackers not to participate in international conferences or hacking contests for fear of being arrested.
While the C919 engine has been featured in test flights, it “still faces significant barriers to entry — namely, international certification and the current Sino-U.S. trade war,” CrowdStrike said. Beijing aims to “have the C919 pass grueling certification standards by the end of 2020.”
Meanwhile, hackers using tactics similar to those used by Turbine Panda are said to have breached the Canada-based International Civil Aviation Organization, or ICAO, which sets the global civil aviation standards, CrowdStrike said.
China has likely decided that the benefits of cyber-driven espionage and theft of trade secrets to the country’s industrial goals outweigh any negative publicity costs, CrowdStrike said. The outcome of the current trade war between Washington and Beijing, however, could influence how China approaches future technology joint ventures, the report said.