Attacks/Breaches

10/11/2018
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Chinese Intelligence Officer Under Arrest for Trade Secret Theft

Yanjun Xu attempted to steal data on advanced aviation technology that GE Aviation, among others, had spent billions developing.

US authorities have arrested a Chinese intelligence officer for attempting to steal trade secrets that would have helped China unfairly advance in the aviation and aerospace sectors.

The arrest comes amid numerous recent reports about an increase in cyber-enabled espionage involving China-backed actors. It suggests that little has changed in the three years since China signed an agreement with the US to refrain from backing such activity.

"This case is not an isolated incident," said John Demers, assistant attorney general for the US Department of Justice's National Security division, in a statement announcing the arrest. "It is part of an overall economic policy of developing China at American expense."

In charges announced Wednesday, the DoJ accused Yanjun Xu, an operative of China's Ministry of State Security (MSS), with economic espionage involving theft of trade secrets from GE Aviation and other leading US aviation companies.

The charges, filed in federal court in the Southern District of Ohio, allege that Yu and other unnamed conspirators working on behalf of the Chinese government systematically targeted companies inside and outside the US that are considered leaders in the aviation industry.

The alleged activity started in December 2013 and continued through April of this year, when Yu was arrested in Belgium after he traveled there to meet with an engineer from GE Aviation. Yu has since been extradited to the US, where he faces up to 15 years in federal prison if convicted on the espionage charges.

Court papers related to the case describe Yu as the deputy division director with the MSS's Jiangsu State Security Department. One of Yu's responsibilities in that role was to obtain technical information, including trade secrets from aviation and aerospace companies around the world.

In carrying out that mission, Yu would often use aliases and represent himself as being associated with the Jiangsu Science & Technology Promotion Association (JAST). He would target expert engineers at aviation companies and recruit them to travel to China to ostensibly deliver university presentations on aviation technology-related topics.

Going After GE Aviation's Material Design Technology
One of the engineers Yu targeted worked at GE Aviation. Yu contacted the individual in March 2017 and invited the engineer to deliver a presentation at China's leading Nanjing University of Aeronautics and Astronautics (NUAA). In discussing what to present, Yu instructed the engineer to give a report on certain key GE Aviation engine structure design analysis and manufacturing technology.

On one occasion, the engineer travelled to China and gave a presentation at NUAA, for which the engineer was later reimbursed $3,500 for travel and other expenses.

In subsequent communications with the same engineer, Yu tried to extract much more detailed information, including some highly proprietary information on the composite materials used in GE Aviation's fan blades and fan blade encasements. GE Aviation is the only company using the technology, which it spent billions of dollars in developing, the court papers said.

Though the engineer explicitly informed Yu that the information he was seeking involved commercial secrets, Yu persisted in asking for the information. He instructed the engineer on how to send him a copy of the file directory on the engineer's GE-issued computer. The engineer followed Yu's instructions for sorting and saving the file directory, resulting in a complete menu of all the files on the engineer's system. The engineer then sent the file to Yu, as instructed, but it was heavily edited to remove all sensitive information – and with GE Aviation's knowledge and approval.

The court documents also show that Yu targeted at least two other unnamed US aviation companies. The information he sought to obtain from these companies included materials related to electric landing gear and electric jet braking and data pertaining to a technology for aerial refueling of military aircraft.

Yu's arrest is sure to focus attention once again on China's state-backed espionage activity, an issue that the US government has previously raised at the highest levels. Yu is, in fact, the second Chinese citizen to be recently arrested. In September, law enforcement in Chicago arrested Ji Chaoqun on charges related to a conspiracy to steal information by recruiting Chinese nationals working as engineers and scientists for US firms, including military contractors.

In 2015, former President Barack Obama and Chinese counterpart Xi Jinping signed a much touted cyber agreement aimed at reducing some of the mounting tensions over the issue. The agreement calls for appropriate norms for state behavior in cyberspace and for both sides to refrain from knowingly supporting or conducting cyber-enabled theft of intellectual property.

The agreement came months after Obama issued an executive order that gave the US Treasury Department the authority to freeze all US-based property and assets of persons and entities that engage in cyber espionage on behalf of another country.

Three years later, little has changed. A recent report from CrowdStrike showed a sharp uptick in targeted intrusion attempts by China-backed actors against US companies in industries including defense, biotech, and pharmaceuticals. China-based entities, in fact, were behind 40 of the 70 or so targeted intrusions in the first half of this year that CrowdStrike was able to attribute.

"China is back as the most prolific nation-state actor conducting industrial espionage via cyber and non-cyber means," said Dmitri Alperovitch, co-founder and CTO of CrowdStrike, in a statement. "We believe China poses a long-term and strategic threat to the global economy, and today's arrest of a senior MSS officer responsible for industrial espionage is an important deterrence tool."  

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
timwessels
50%
50%
timwessels,
User Rank: Apprentice
10/17/2018 | 10:21:06 PM
Espionage the old fashioned way
Well, in an era when everyone is working to defend against electronic intrusion into private networks to steal intellectual property, a Chinese military intelligence officer was apprehended in Belgium and extradited to the US to face charges for conducting old-school espionage. To do this means finding someone who works in an industry where you want to steal a company's intellectual property for your own commercial purposes. Groom them by inviting them to conferences in China to deliver technical presentations and meet with Chinese engineers, etc. Stay in touch with them and begin asking more pointed questions about how certain designs or processes you are interested in and see if they will eventually tell you or give you what you want to know. I think back in the day it was called "social engineering" and it doesn't look like it has gone completely out of style.

 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.