Chinese intelligence agents – as well as cyberattackers and corporate insiders working at their direction – were indicted for a series of intrusions and intellectual property thefts that targeted American and European aerospace companies for at least five years.
According to an indictment unsealed by the US Department of Justice Tuesday, the attacks were directed by agents from the Jiangsu Province Ministry of State Security (JSSD), which is a provincial foreign intelligence arm of the People’s Republic of China’s Ministry of State Security. Specifically, JSSD divisional director Zha Rong allegedly oversaw the operation and recruited corporate insiders. In addition, JSSD section chief Chai Meng served as the main point of contact for Liu Chunliang, a cyberattacker who coordinated the work done at the JSSD's behest and paid for the attack infrastructure.
In all, the group successfully infiltrated 13 companies, according to the indictment. However, the attacks appeared to center around locating and stealing information related to a turbofan engine used in commercial airliners in the US and Europe. The turbofan was developed by a US-based company and a French aerospace manufacturer with an office in Suzhou, in the Chinese province of Jiangsu. A China state-owned company was working to build a similar engine at the time, according to the indictment.
Two Suzhou-based employees were named in the indictment: Tian Xi and the company's IT and security manager, Gu Gen, both of whom were reportedly recruited by Zha. Among other things, Tian installed the Sakula malware on the corporate machines and Gu tipped off fellow conspirators when law enforcement had detected malware on the systems, so the group could take action to minimize its exposure.
The attackers and malware developers who allegedly worked under the coordination of Liu were Zhang Zhang-Gui, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi.
From at least January 2010 to May 2015, the group used a variety of methods to compromise the 13 target companies: spear-phishing, water hole attacks, domain hijacking, dynamic DNS, doppelganger domain names, aid of malicious insiders, and a range of malware, including Sakula, IsSpace, Winnti, and PlugX.
The first company, Los Angeles-based gas turbine manufacturer Capstone Turbines, was infiltrated in January 2010. Attackers then set up a fraudulent email account on the Capstone server, as well as compromising its Web server and using its website for watering hole attacks.
By 2013, the conspirators were closer to the turbofan manufacturer when Tian and JSSD's Zha allegedly staged a meeting in a restaurant to exchange a Trojan horse. "I'll bring the horse [i.e., Trojan horse malware] to you tonight," Zha wrote to Tian. "Can you take the Frenchmen out to dinner tonight? I'll pretend I bump into you at the restaurant to say hello."
Liu and Zhang are also charged in a separate attack, which used variants of malware developed for the Capstone Turbines attack to compromise a San Diego-based technology company.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio