Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/31/2018
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Chinese Intel Agents Indicted for 5-Year IP Theft Campaign

Intelligence agents aimed for aerospace manufacturing targets, with help of cyberattackers, corporate insiders, and one IT security manager.

Chinese intelligence agents – as well as cyberattackers and corporate insiders working at their direction – were indicted for a series of intrusions and intellectual property thefts that targeted American and European aerospace companies for at least five years.

According to an indictment unsealed by the US Department of Justice Tuesday, the attacks were directed by agents from the Jiangsu Province Ministry of State Security (JSSD), which is a provincial foreign intelligence arm of the People’s Republic of China’s Ministry of State Security. Specifically, JSSD divisional director Zha Rong allegedly oversaw the operation and recruited corporate insiders. In addition, JSSD section chief Chai Meng served as the main point of contact for Liu Chunliang, a cyberattacker who coordinated the work done at the JSSD's behest and paid for the attack infrastructure.

In all, the group successfully infiltrated 13 companies, according to the indictment. However, the attacks appeared to center around locating and stealing information related to a turbofan engine used in commercial airliners in the US and Europe. The turbofan was developed by a US-based company and a French aerospace manufacturer with an office in Suzhou, in the Chinese province of Jiangsu. A China state-owned company was working to build a similar engine at the time, according to the indictment.

Two Suzhou-based employees were named in the indictment: Tian Xi and the company's IT and security manager, Gu Gen, both of whom were reportedly recruited by Zha. Among other things, Tian installed the Sakula malware on the corporate machines and Gu tipped off fellow conspirators when law enforcement had detected malware on the systems, so the group could take action to minimize its exposure.

The attackers and malware developers who allegedly worked under the coordination of Liu were Zhang Zhang-Gui, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi. 

From at least January 2010 to May 2015, the group used a variety of methods to compromise the 13 target companies: spear-phishing, water hole attacks, domain hijacking, dynamic DNS, doppelganger domain names, aid of malicious insiders, and a range of malware, including Sakula, IsSpace, Winnti, and PlugX.

The first company, Los Angeles-based gas turbine manufacturer Capstone Turbines, was infiltrated in January 2010. Attackers then set up a fraudulent email account on the Capstone server, as well as compromising its Web server and using its website for watering hole attacks. 

By 2013, the conspirators were closer to the turbofan manufacturer when Tian and JSSD's Zha allegedly staged a meeting in a restaurant to exchange a Trojan horse. "I'll bring the horse [i.e., Trojan horse malware] to you tonight," Zha wrote to Tian. "Can you take the Frenchmen out to dinner tonight? I'll pretend I bump into you at the restaurant to say hello."

Liu and Zhang are also charged in a separate attack, which used variants of malware developed for the Capstone Turbines attack to compromise a San Diego-based technology company. 

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:27:35 PM
SMCI, FWIW
Just putting this out there. For all the doubt and dubiousness out there about Bloomberg's Supermicro story, the fact that these type of intricate, coordinated, in-depth, deep-cover IP-theft campaigns are conducted by nation-state actors so as to fully understand US technology as deeply as possible means that it is thoroughly feasible that hardware firms have been infiltrated such that nation-state actors understand the technology enough to custom-develop chips to be discreetly added on to those firms' hardware.

Harder to do and more expensive and resource-intensive? Sure. Is doing it through firmware easier? You bet. But it's also way harder to detect. At a certain point, the only counter-attack to defense in depth is offense in depth.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5144
PUBLISHED: 2020-10-28
SonicWall Global VPN client version 4.10.4.0314 and earlier allows unprivileged windows user to elevate privileges to SYSTEM through loaded process hijacking vulnerability.
CVE-2020-5145
PUBLISHED: 2020-10-28
SonicWall Global VPN client version 4.10.4.0314 and earlier have an insecure library loading (DLL hijacking) vulnerability. Successful exploitation could lead to remote code execution in the target system.
CVE-2020-27956
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
CVE-2020-27957
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
CVE-2020-16140
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.