Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/31/2018
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Chinese Intel Agents Indicted for 5-Year IP Theft Campaign

Intelligence agents aimed for aerospace manufacturing targets, with help of cyberattackers, corporate insiders, and one IT security manager.

Chinese intelligence agents – as well as cyberattackers and corporate insiders working at their direction – were indicted for a series of intrusions and intellectual property thefts that targeted American and European aerospace companies for at least five years.

According to an indictment unsealed by the US Department of Justice Tuesday, the attacks were directed by agents from the Jiangsu Province Ministry of State Security (JSSD), which is a provincial foreign intelligence arm of the People’s Republic of China’s Ministry of State Security. Specifically, JSSD divisional director Zha Rong allegedly oversaw the operation and recruited corporate insiders. In addition, JSSD section chief Chai Meng served as the main point of contact for Liu Chunliang, a cyberattacker who coordinated the work done at the JSSD's behest and paid for the attack infrastructure.

In all, the group successfully infiltrated 13 companies, according to the indictment. However, the attacks appeared to center around locating and stealing information related to a turbofan engine used in commercial airliners in the US and Europe. The turbofan was developed by a US-based company and a French aerospace manufacturer with an office in Suzhou, in the Chinese province of Jiangsu. A China state-owned company was working to build a similar engine at the time, according to the indictment.

Two Suzhou-based employees were named in the indictment: Tian Xi and the company's IT and security manager, Gu Gen, both of whom were reportedly recruited by Zha. Among other things, Tian installed the Sakula malware on the corporate machines and Gu tipped off fellow conspirators when law enforcement had detected malware on the systems, so the group could take action to minimize its exposure.

The attackers and malware developers who allegedly worked under the coordination of Liu were Zhang Zhang-Gui, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi. 

From at least January 2010 to May 2015, the group used a variety of methods to compromise the 13 target companies: spear-phishing, water hole attacks, domain hijacking, dynamic DNS, doppelganger domain names, aid of malicious insiders, and a range of malware, including Sakula, IsSpace, Winnti, and PlugX.

The first company, Los Angeles-based gas turbine manufacturer Capstone Turbines, was infiltrated in January 2010. Attackers then set up a fraudulent email account on the Capstone server, as well as compromising its Web server and using its website for watering hole attacks. 

By 2013, the conspirators were closer to the turbofan manufacturer when Tian and JSSD's Zha allegedly staged a meeting in a restaurant to exchange a Trojan horse. "I'll bring the horse [i.e., Trojan horse malware] to you tonight," Zha wrote to Tian. "Can you take the Frenchmen out to dinner tonight? I'll pretend I bump into you at the restaurant to say hello."

Liu and Zhang are also charged in a separate attack, which used variants of malware developed for the Capstone Turbines attack to compromise a San Diego-based technology company. 

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:27:35 PM
SMCI, FWIW
Just putting this out there. For all the doubt and dubiousness out there about Bloomberg's Supermicro story, the fact that these type of intricate, coordinated, in-depth, deep-cover IP-theft campaigns are conducted by nation-state actors so as to fully understand US technology as deeply as possible means that it is thoroughly feasible that hardware firms have been infiltrated such that nation-state actors understand the technology enough to custom-develop chips to be discreetly added on to those firms' hardware.

Harder to do and more expensive and resource-intensive? Sure. Is doing it through firmware easier? You bet. But it's also way harder to detect. At a certain point, the only counter-attack to defense in depth is offense in depth.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-5285
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
CVE-2009-5047
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
CVE-2013-4584
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
CVE-2013-7087
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
CVE-2013-7088
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component