Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/31/2018
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Chinese Intel Agents Indicted for 5-Year IP Theft Campaign

Intelligence agents aimed for aerospace manufacturing targets, with help of cyberattackers, corporate insiders, and one IT security manager.

Chinese intelligence agents – as well as cyberattackers and corporate insiders working at their direction – were indicted for a series of intrusions and intellectual property thefts that targeted American and European aerospace companies for at least five years.

According to an indictment unsealed by the US Department of Justice Tuesday, the attacks were directed by agents from the Jiangsu Province Ministry of State Security (JSSD), which is a provincial foreign intelligence arm of the People’s Republic of China’s Ministry of State Security. Specifically, JSSD divisional director Zha Rong allegedly oversaw the operation and recruited corporate insiders. In addition, JSSD section chief Chai Meng served as the main point of contact for Liu Chunliang, a cyberattacker who coordinated the work done at the JSSD's behest and paid for the attack infrastructure.

In all, the group successfully infiltrated 13 companies, according to the indictment. However, the attacks appeared to center around locating and stealing information related to a turbofan engine used in commercial airliners in the US and Europe. The turbofan was developed by a US-based company and a French aerospace manufacturer with an office in Suzhou, in the Chinese province of Jiangsu. A China state-owned company was working to build a similar engine at the time, according to the indictment.

Two Suzhou-based employees were named in the indictment: Tian Xi and the company's IT and security manager, Gu Gen, both of whom were reportedly recruited by Zha. Among other things, Tian installed the Sakula malware on the corporate machines and Gu tipped off fellow conspirators when law enforcement had detected malware on the systems, so the group could take action to minimize its exposure.

The attackers and malware developers who allegedly worked under the coordination of Liu were Zhang Zhang-Gui, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi. 

From at least January 2010 to May 2015, the group used a variety of methods to compromise the 13 target companies: spear-phishing, water hole attacks, domain hijacking, dynamic DNS, doppelganger domain names, aid of malicious insiders, and a range of malware, including Sakula, IsSpace, Winnti, and PlugX.

The first company, Los Angeles-based gas turbine manufacturer Capstone Turbines, was infiltrated in January 2010. Attackers then set up a fraudulent email account on the Capstone server, as well as compromising its Web server and using its website for watering hole attacks. 

By 2013, the conspirators were closer to the turbofan manufacturer when Tian and JSSD's Zha allegedly staged a meeting in a restaurant to exchange a Trojan horse. "I'll bring the horse [i.e., Trojan horse malware] to you tonight," Zha wrote to Tian. "Can you take the Frenchmen out to dinner tonight? I'll pretend I bump into you at the restaurant to say hello."

Liu and Zhang are also charged in a separate attack, which used variants of malware developed for the Capstone Turbines attack to compromise a San Diego-based technology company. 

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:27:35 PM
SMCI, FWIW
Just putting this out there. For all the doubt and dubiousness out there about Bloomberg's Supermicro story, the fact that these type of intricate, coordinated, in-depth, deep-cover IP-theft campaigns are conducted by nation-state actors so as to fully understand US technology as deeply as possible means that it is thoroughly feasible that hardware firms have been infiltrated such that nation-state actors understand the technology enough to custom-develop chips to be discreetly added on to those firms' hardware.

Harder to do and more expensive and resource-intensive? Sure. Is doing it through firmware easier? You bet. But it's also way harder to detect. At a certain point, the only counter-attack to defense in depth is offense in depth.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7843
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7846
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper error handling vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7847
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.
CVE-2019-7848
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7850
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have a Command injection vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.