Cyber Theft, Humint Helped China Cut Corners on Passenger Jet
Beijing likely saved a lot of time and billions of dollars by copying components for its C919 plane from others, a new report from CrowdStrike says.
October 14, 2019
When China's domestically built C919 airplane becomes commercially available sometime in the next few years, many of the components in the plane will be based on designs and intellectual property that were likely copied from other manufacturers around the world.
That assessment from CrowdStrike is based on information pieced together from multiple recent US Department of Justice indictments and from the security vendor's own tracking of Turbine Panda, a China government-backed cyber espionage group that has been targeting aerospace companies since 2010.
The narrow-body C919 twinjet airliner is China's first homemade commercial jet and represents part of a broader "Made in China 2025" initiative that is designed to make the country self-reliant in several key industries. The plane completed its maiden voyage in 2017 and is expected to hit the market at about half the cost of competitive products from the Western aerospace duopoly of Boeing and Airbus.
At least some of that will be because Turbine Panda and several other operatives helped its manufacturer — the Commercial Aircraft Corporation of China (COMAC) and the Aviation Industry Corporation of China (AVIC) — cut corners.
China is not unique in targeting aerospace companies in the US and elsewhere. Adam Meyers, vice president of intelligence at CrowdStrike, says his firm is currently tracking 40 active threat groups targeting the sector including those from China, Russia, India, Iran, and North Korea.
"This is a complex problem," to address he says. Campaigns involving theft of IP and trade secrets can involve cyber operations, human intelligence, and support from national level intelligence services. "There is no easy short answer," Meyer says. "It needs to be addressed across public and private sector stakeholders."
According to CrowdStrike, its own intelligence and information in US DOJ indictments against key Chinese operatives in 2017 and 2018 suggest that one area where China appears to have especially benefited from outside IP is the C919's engine.
Soon after plans for the C919 were announced back in 2010, COMAC and AVIC were tasked with developing an indigenously built turbofan engine for the plane comparable to LEAP-X, an engine from GE Aviation and French aerospace company Safran. The resulting CJ-1000AX engine, which underwent formal tests last year, has multiple similarities to LEAP X, including in its dimensions and turbofan blades, CrowdStrike says.
"It is difficult to assess that the CJ-1000AX is a direct copy of the LEAP-X without direct access to technical engineering specifications," CrowdStrike said in a report this week stitching together the DOJ information and its own research. But it is "highly likely" that its makers benefited significantly from Turbine Panda's cyber espionage efforts on behalf of the Jiangsu Bureau of China's Ministry of State Security (MSS), the vendor said.
The information that Turbine Panda and others collected from companies that have technologies pertaining to the LEAP-X engine has helped China knock off years in development time, and potentially billions of dollars in research in developing the CJ-1000AX engine, according to CrowdStrike.
Signs of Turbine Panda Activity
Signs of Turbine Panda's involvement go back to 2010 when China first announced plans for the C919 commercial jet. DOJ documents show soon after the announcement, Turbine Panda was involved in a cyberattack on Capstone Turbine, a Los Angeles-based gas turbine manufacturer. In a February 2014 blog, CrowdStrike then drew a connection between a Turbine Panda attack on French aerospace firm Safran and one against Capstone Turbine in 2012. The blog exposed some of Turbine Panda's operations prompting the group to take evasive action, says Meyers.
Between 2010 and 2015 Turbine Panda and others working for the Jiangsu Bureau of the MSS targeted a variety of aerospace-related organizations. Among those targeted were Honeywell, Ametek, and Safran. In many of the attacks, the China-based cyber operatives used the PlugX, Winnti, and Sakula remote-access Trojans to try and steal from victims, CrowdStrike said.
In addition to the cyber efforts, Beijing operatives were engaged in a massive human intelligence (aka humint) campaign focused on stealing information that could help with the C919 project. While one arm of China's intelligence apparatus identified key technology gaps in the C919 program, another focused on efforts to obtain those technologies via cyber and humint efforts, CrowdStrike said.
The human intelligence efforts included one by a now-indicted MSS intelligence officer to recruit an insider at LEAP-X manufacturer General Electric. The same officer also recruited a China-born US Army reservist who was an expert at assessing turbine engine schematics.
So far, at least four individuals have been arrested in connection with China's campaign targeting aerospace companies. Among them is Xu Yanjun, the MSS officer who was allegedly in charge of recruiting insiders at targeted aerospace firms, and Yu Pingan, the developer of the Sakula RAT who was arrested while attending a security conference in the US. Yu's arrest prompted the MSS to issue strict orders to security researchers in the country not to attend overseas conferences or Capture the Flag events, CrowdStrike reported.
Though Xu's arrest in particular is likely especially significant, it is unlikely to deter China's attempts to leap-frog development in technology areas the country perceives as being of strategic importance, CrowdStrike said.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Murderers' Row of Poisoning Attacks."
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024