Security researchers have correlated the activity of a Chinese hacker group known for targeting aerospace companies to a multi-year espionage effort by China’s intelligence agencies to further the development of the country’s C919 aircraft, an airliner designed to compete with similar planes from Airbus and Boeing.

The Comac C919 is a narrow-body twinjet airliner whose development started in 2008 and had its first maiden flight in 2017 after various delays due to technological issues. While being touted as a Chinese-made aircraft, the plane uses many components supplied by aerospace companies from Europe and North America.

Between 2010 and 2015, coinciding with the plane’s development, researchers from CrowdStrike tracked a China-based group they dubbed Turbine Panda that launched cyberespionage attacks against several of the companies that supply C919 components. They now believe this was part of a coordinated effort by China to bridge the technology gap needed to produce the same components locally by state-owned enterprises.

Evidence indicates that effort was coordinated by the JSSD, the Jiangsu Bureau of China’s Ministry of State Security (MSS), and that it combined traditional espionage by recruiting insiders in targeted companies, as well as cyber intrusions by Turbine Panda.

“From August 2017 until October 2018, the DoJ [the U.S. Department of Justice] released several separate but related indictments against Sakula developer YU Pingan, JSSD Intelligence Officer XU Yanjun, GE Employee and insider ZHENG Xiaoqing, U.S. Army Reservist and assessor JI Chaoqun, and 10 JSSD-affiliated cyber operators in the ZHANG et. al. indictment,” CrowdStrike said in a new report released today.

A broad, coordinated effort to collect aerospace IP

“What makes these DoJ cases so fascinating is that, when looked at as a whole they illustrate the broad but coordinated efforts the JSSD took to collect information from its aerospace targets. In particular, the operations connected to activity CrowdStrike Intelligence tracked as Turbine Panda showed both traditional human-intelligence (HUMINT) operators and its cyber operators working in parallel to pilfer the secrets of several international aerospace firms,” the report stated.

Sakula is a malware program that CrowdStrike believes is unique to Turbine Panda and JSSD, even though Turbine Panda has also used other Trojans like PlugX and Winnti that are shared by other Chinese APT groups.

Sakula developer YU Pingan was arrested by the FBI in 2017 while attending a security conference in the U.S. and soon after the MSS issued orders to prevent Chinese security researchers from participating in conferences and capture-the-flag competitions overseas.

“In years prior to that directive, Chinese teams—such as those from Qihoo 360, Tencent and Baidu—had dominated overseas competitions and bug bounties including Pwn2Own and CanSecWest, earning thousands of dollars in cash rewards for their zero-day exploits for popular systems such as Android, iOS, Tesla, Microsoft and Adobe,” CrowdStrike said. “Instead, the companies these researchers work for were required to provide vulnerability information to the China Information Technical Security Evaluation Center (CNITSEC). CNITSEC was previously identified by CrowdStrike Intelligence and other industry reporting as being affiliated with the MSS Technical Bureau and it runs the Chinese National Information Security Vulnerability Database (CNNVD), which was outed for its role in providing the MSS with cutting-edge vulnerabilities likely for use in offensive operations.”

According to CrowdStrike, many of the individuals named in the DoJ indictments and believed to be part of Turbine Panda have storied histories in the Chinese hacking circles dating back to at least 2004, indicating recruitment by Chinese intelligence of competent black hat hackers.

The Zhang indictment indicates that the cyber intrusions were overseen by Chai Meng, who managed the JSSD’s cyber operations, and Liu Chunliang, who maintained the infrastructure for the attacks. Liu was also the one who sourced the Sakula malware from its developer, Yu, as well as another piece of malware called IsSpace that is associated with another Chinese APT group tracked as Samurai Panda.

Links to Anthem, OPM breaches

Both Sakula and IsSpace were used in the 2015 breaches at medical insurer Anthem and the United States Office of Personnel Management (OPM), which are already believed to be related based on industry reports. The attackers’ techniques and procedures used in the Anthem breach bear a strong resemblance to those employed in a previous intrusion at Ametek, a US-based provider of electronic instruments and one of Turbine Panda’s victims. These connections suggest that JSSD was behind the Anthem and OPM breaches.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” the CrowdStrike researchers said.

“The reality is that many of the other cyber operators that made up Turbine Panda operations will likely never see a jail cell,” they said, concluding that the arrests are unlikely to “deter Beijing from mounting other significant cyber campaigns designed to achieve leapfrog development in areas of strategic importance.”

Companies from the aerospace sector remain of interest to Chinese hackers and the attacks against them are likely to continue. In 2017, after C919’s maiden flight, the Aero Engine Corporation of China (AECC) and Russia’s United Aircraft Corp (UAC) announced a joint venture to design a new aircraft dubbed CR929, a wide-body jet that will compete with the Airbus 350 and Boeing 787.

Like with the C919, the CR929’s engines, onboard electrical systems and other components will initially need to be sourced from foreign suppliers. CrowdStrike warns that companies bidding on those contracts “may face additional targeting from China-based adversaries that have demonstrated the capability and intent to engage in such intellectual property theft for economic gain.”

“It is unclear whether Russia, a state that also has experienced cyber operators at its disposal, would also engage in cyber-enabled theft of intellectual property related to the CR929,” the company said.