Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:18 PM
Connect Directly

Cyber Theft, Humint Helped China Cut Corners on Passenger Jet

Beijing likely saved a lot of time and billions of dollars by copying components for its C919 plane from others, a new report from CrowdStrike says.

When China's domestically built C919 airplane becomes commercially available sometime in the next few years, many of the components in the plane will be based on designs and intellectual property that were likely copied from other manufacturers around the world.

That assessment from CrowdStrike is based on information pieced together from multiple recent US Department of Justice indictments and from the security vendor's own tracking of Turbine Panda, a China government-backed cyber espionage group that has been targeting aerospace companies since 2010.

The narrow-body C919 twinjet airliner is China's first homemade commercial jet and represents part of a broader "Made in China 2025" initiative that is designed to make the country self-reliant in several key industries. The plane completed its maiden voyage in 2017 and is expected to hit the market at about half the cost of competitive products from the Western aerospace duopoly of Boeing and Airbus.

At least some of that will be because Turbine Panda and several other operatives helped its manufacturer — the Commercial Aircraft Corporation of China (COMAC) and the Aviation Industry Corporation of China (AVIC) — cut corners.

China is not unique in targeting aerospace companies in the US and elsewhere. Adam Meyers, vice president of intelligence at CrowdStrike, says his firm is currently tracking 40 active threat groups targeting the sector including those from China, Russia, India, Iran, and North Korea.

"This is a complex problem," to address he says. Campaigns involving theft of IP and trade secrets can involve cyber operations, human intelligence, and support from national level intelligence services. "There is no easy short answer," Meyer says. "It needs to be addressed across public and private sector stakeholders."

According to CrowdStrike, its own intelligence and information in US DOJ indictments against key Chinese operatives in 2017 and 2018 suggest that one area where China appears to have especially benefited from outside IP is the C919's engine.

Soon after plans for the C919 were announced back in 2010, COMAC and AVIC were tasked with developing an indigenously built turbofan engine for the plane comparable to LEAP-X, an engine from GE Aviation and French aerospace company Safran. The resulting CJ-1000AX engine, which underwent formal tests last year, has multiple similarities to LEAP X, including in its dimensions and turbofan blades, CrowdStrike says.

"It is difficult to assess that the CJ-1000AX is a direct copy of the LEAP-X without direct access to technical engineering specifications," CrowdStrike said in a report this week stitching together the DOJ information and its own research.  But it is "highly likely" that its makers benefited significantly from Turbine Panda's cyber espionage efforts on behalf of the Jiangsu Bureau of China's Ministry of State Security (MSS), the vendor said.

The information that Turbine Panda and others collected from companies that have technologies pertaining to the LEAP-X engine has helped China knock off years in development time, and potentially billions of dollars in research in developing the CJ-1000AX engine, according to CrowdStrike.

Signs of Turbine Panda Activity

Signs of Turbine Panda's involvement go back to 2010 when China first announced plans for the C919 commercial jet. DOJ documents show soon after the announcement, Turbine Panda was involved in a cyberattack on Capstone Turbine, a Los Angeles-based gas turbine manufacturer. In a February 2014 blog, CrowdStrike then drew a connection between a Turbine Panda attack on French aerospace firm Safran and one against Capstone Turbine in 2012. The blog exposed some of Turbine Panda's operations prompting the group to take evasive action, says Meyers.

Between 2010 and 2015 Turbine Panda and others working for the Jiangsu Bureau of the MSS targeted a variety of aerospace-related organizations. Among those targeted were Honeywell, Ametek, and Safran. In many of the attacks, the China-based cyber operatives used the PlugX, Winnti, and Sakula remote-access Trojans to try and steal from victims, CrowdStrike said.

In addition to the cyber efforts, Beijing operatives were engaged in a massive human intelligence (aka humint) campaign focused on stealing information that could help with the C919 project. While one arm of China's intelligence apparatus identified key technology gaps in the C919 program, another focused on efforts to obtain those technologies via cyber and humint efforts, CrowdStrike said.

The human intelligence efforts included one by a now-indicted MSS intelligence officer to recruit an insider at LEAP-X manufacturer General Electric. The same officer also recruited a China-born US Army reservist who was an expert at assessing turbine engine schematics.

So far, at least four individuals have been arrested in connection with China's campaign targeting aerospace companies. Among them is Xu Yanjun, the MSS officer who was allegedly in charge of recruiting insiders at targeted aerospace firms, and Yu Pingan, the developer of the Sakula RAT who was arrested while attending a security conference in the US. Yu's arrest prompted the MSS to issue strict orders to security researchers in the country not to attend overseas conferences or Capture the Flag events, CrowdStrike reported.

Though Xu's arrest in particular is likely especially significant, it is unlikely to deter China's attempts to leap-frog development in technology areas the country perceives as being of strategic importance, CrowdStrike said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Murderers' Row of Poisoning Attacks."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://v...
PUBLISHED: 2020-10-30
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...