Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:18 PM
Connect Directly

Cyber Theft, Humint Helped China Cut Corners on Passenger Jet

Beijing likely saved a lot of time and billions of dollars by copying components for its C919 plane from others, a new report from CrowdStrike says.

When China's domestically built C919 airplane becomes commercially available sometime in the next few years, many of the components in the plane will be based on designs and intellectual property that were likely copied from other manufacturers around the world.

That assessment from CrowdStrike is based on information pieced together from multiple recent US Department of Justice indictments and from the security vendor's own tracking of Turbine Panda, a China government-backed cyber espionage group that has been targeting aerospace companies since 2010.

The narrow-body C919 twinjet airliner is China's first homemade commercial jet and represents part of a broader "Made in China 2025" initiative that is designed to make the country self-reliant in several key industries. The plane completed its maiden voyage in 2017 and is expected to hit the market at about half the cost of competitive products from the Western aerospace duopoly of Boeing and Airbus.

At least some of that will be because Turbine Panda and several other operatives helped its manufacturer — the Commercial Aircraft Corporation of China (COMAC) and the Aviation Industry Corporation of China (AVIC) — cut corners.

China is not unique in targeting aerospace companies in the US and elsewhere. Adam Meyers, vice president of intelligence at CrowdStrike, says his firm is currently tracking 40 active threat groups targeting the sector including those from China, Russia, India, Iran, and North Korea.

"This is a complex problem," to address he says. Campaigns involving theft of IP and trade secrets can involve cyber operations, human intelligence, and support from national level intelligence services. "There is no easy short answer," Meyer says. "It needs to be addressed across public and private sector stakeholders."

According to CrowdStrike, its own intelligence and information in US DOJ indictments against key Chinese operatives in 2017 and 2018 suggest that one area where China appears to have especially benefited from outside IP is the C919's engine.

Soon after plans for the C919 were announced back in 2010, COMAC and AVIC were tasked with developing an indigenously built turbofan engine for the plane comparable to LEAP-X, an engine from GE Aviation and French aerospace company Safran. The resulting CJ-1000AX engine, which underwent formal tests last year, has multiple similarities to LEAP X, including in its dimensions and turbofan blades, CrowdStrike says.

"It is difficult to assess that the CJ-1000AX is a direct copy of the LEAP-X without direct access to technical engineering specifications," CrowdStrike said in a report this week stitching together the DOJ information and its own research.  But it is "highly likely" that its makers benefited significantly from Turbine Panda's cyber espionage efforts on behalf of the Jiangsu Bureau of China's Ministry of State Security (MSS), the vendor said.

The information that Turbine Panda and others collected from companies that have technologies pertaining to the LEAP-X engine has helped China knock off years in development time, and potentially billions of dollars in research in developing the CJ-1000AX engine, according to CrowdStrike.

Signs of Turbine Panda Activity

Signs of Turbine Panda's involvement go back to 2010 when China first announced plans for the C919 commercial jet. DOJ documents show soon after the announcement, Turbine Panda was involved in a cyberattack on Capstone Turbine, a Los Angeles-based gas turbine manufacturer. In a February 2014 blog, CrowdStrike then drew a connection between a Turbine Panda attack on French aerospace firm Safran and one against Capstone Turbine in 2012. The blog exposed some of Turbine Panda's operations prompting the group to take evasive action, says Meyers.

Between 2010 and 2015 Turbine Panda and others working for the Jiangsu Bureau of the MSS targeted a variety of aerospace-related organizations. Among those targeted were Honeywell, Ametek, and Safran. In many of the attacks, the China-based cyber operatives used the PlugX, Winnti, and Sakula remote-access Trojans to try and steal from victims, CrowdStrike said.

In addition to the cyber efforts, Beijing operatives were engaged in a massive human intelligence (aka humint) campaign focused on stealing information that could help with the C919 project. While one arm of China's intelligence apparatus identified key technology gaps in the C919 program, another focused on efforts to obtain those technologies via cyber and humint efforts, CrowdStrike said.

The human intelligence efforts included one by a now-indicted MSS intelligence officer to recruit an insider at LEAP-X manufacturer General Electric. The same officer also recruited a China-born US Army reservist who was an expert at assessing turbine engine schematics.

So far, at least four individuals have been arrested in connection with China's campaign targeting aerospace companies. Among them is Xu Yanjun, the MSS officer who was allegedly in charge of recruiting insiders at targeted aerospace firms, and Yu Pingan, the developer of the Sakula RAT who was arrested while attending a security conference in the US. Yu's arrest prompted the MSS to issue strict orders to security researchers in the country not to attend overseas conferences or Capture the Flag events, CrowdStrike reported.

Though Xu's arrest in particular is likely especially significant, it is unlikely to deter China's attempts to leap-frog development in technology areas the country perceives as being of strategic importance, CrowdStrike said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Murderers' Row of Poisoning Attacks."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...