Security researchers at Crowdstrike conducted long-running cyber-espionage operations aimed at various aerospace firms. According to the experts the cyber espionage operations begun in January 2010, after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) selected U
“However, the C919 can hardly be seen as a complete domestic triumph, because it is reliant on a plethora of foreign-manufactured components. Likely in an effort to bridge those gaps, the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919’s various components.” reads a blog post published by Crowdstrike.
Researchers noticed that in August 2016, both COMAC and AVIC became the main shareholders of the Aero Engine Corporation of China (AECC/中国航空发动机集团), which produced the CJ-1000AX engine. Experts claim that CJ-1000AX is quite similar to the LEAP-1C, its dimensions and turbofan blade design demonstrate it.
Researchers suspect that the aircraft maker benefited information obtained through cyberespionage campaigns carried out over the years.
“The actual process by which the CCP and its SOEs provide China’s intelligence services with key technology gaps for collection is relatively opaque, but what is known from CrowdStrike Intelligence reporting and corroborating U.S. government reporting is that Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and
The hackers targeted multiple companies that were involved in the supply of components for the project, including Honeywell and Safran.
The Turbine Panda
Researchers identified a HUMINT element to the JSSD’s espionage operations against the targets in the aerospace industry that were involved in the project.
“In February 2014, one of our own blogs described the relationship between cyber activity in 2012 against Capstone Turbine and an SWC targeting Safran/Snecma carried out by TURBINE PANDA, potentially exposing the HUMINT-enabled cyber operations described in some of the indictments.” reads the report published by the experts. “As described in the ZHANG indictment, on 26 February 2014, one day after the release of our “French Connection” blog publicly exposed som
According to the report, in November 2013, the JSSD Intelligence Officer Xu Yanjun recruited a Safran Suzhou insider named Tian Xi.
Tian Xi delivered the Sakula malware to the target company using a USB drive with the Sakula malware on it, in January 2014.
Despite Xu Yanjun, the Sakula developer Yu Pingan, and two individuals working as insiders have been arrested, the cyber espionage campaigns have not ceased.
“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike concludes. “Similar to the procedure for developing the C919, the JV is currently taking bids for an aircraft engine that will be used