GHackers targeted U.S. turbofan jet engine tech for Chinese jetliner
BY: Bill Gertz
October 30, 2018 6:01 pm
The Justice Department announced the indictment of nine people on Tuesday linked to a Chinese cyber intelligence operation targeting aerospace technology.
The nine people, including intelligence officers, state-controlled hackers, and recruited agents inside companies were linked to computer intrusions at U.S. and European companies and the theft of turbofan jet engine technology used in commercial airliners.
The operation was directed by cyber spies operating out of the Jiangsu Province branch of the Ministry of State Security, the civilian spy service, based in Nanjing, China, and known as the JSSD.
Two MSS officers indicted in the case were identified as Zha Rong and Chai Meng, who worked with state-controlled Chinese hackers and insiders working for targeted aerospace companies.
The MSS hacker team under the direction of the two MSS officers were identified as Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi.
The Justice Department did not say where the nine people are or whether any have been arrested.
“From January 2010 to May 2015, JSSD employees, along with individuals working at the direction of the JSSD, conspired to steal sensitive commercial technological, aviation, and aerospace data by hacking into computers in the United States and abroad,” states the indictment dated Oct. 25 and unsealed on Tuesday.
The cyber espionage indictment followed the unprecedented arrest earlier this month of an MSS operative from the Jiangsu MSS, Yanjun Xu, who was extradited to the United States from Belgium.
Xu was not named in the indictment, indicating he may not be related to the case announced Tuesday. However, it is possible he may have given up the names of the MSS cyber espionage network.
The Justice Department said in a statement that the targeted jet engine technology was being developed jointly between U.S. and French companies.
The French firm was operating in Suzhou, Jiangsu province, China. Only one of the companies, Capstone Turbine, was identified by name.
Two indicted Chinese hackers, Gu Gen and Tian Xi “hacked the French aerospace manufacturer” with the assistance of the MSS, the statement said.
“The hackers also conducted intrusions into other companies that manufactured parts for the turbofan jet engine, including aerospace companies based in Arizona, Massachusetts, and Oregon,” the Justice statement said.
As the intrusions took place a Chinese state-owned aerospace company was working on building a comparable jet engine for use in a Chinese-made commercial airliner.
Another hacker, Zhang Zhang-Gui and Chinese national Li Xiao were charged in a separate hacking operation that gained access to a San Diego-based technology companies.
“For the third time since only September, the National Security Division, with its U.S. Attorney partners, has brought charges against Chinese intelligence officers from the JSSD and those working at their direction and control for stealing American intellectual property,” said John C. Demers, assistant attorney general for National Security.
“This is just the beginning. Together with our federal partners, we will redouble our efforts to safeguard America’s ingenuity and investment,” he added.
The indictment is the latest incident in increasingly tense relations between Washington and Beijing.
President Trump has imposed $200 billion in tariffs on Chinese goods as a result of what the Trump administration has said are China’s unfair trade practices and illicit theft of American technology.
The president has vowed to keep pressuring Beijing and may add another $250 billion tariffs.
The Chinese hacking operation involved the use of various techniques, including the use of spear phishing emails and multiple strains of malicious software that allowed them to gain access to company computer networks.
The hackers also used hijacked company websites known as “water holes” that draw unsuspecting computer operators to the sites and fool them into giving up network access credentials.
The first hack took place around Jan. 8, 2010, against Capstone Turbine, a Los Angeles gas turbine manufacture.
The San Diego technology company was targeted by Chinese intelligence from August 2012 to January 2014 in a watering hole attack aimed at stealing commercial date.
The Chinese also were able to co-opt company employees in conducting the cyber economic espionage.
Two Chinese nationals working for Tian and Gu worked for the French aerospace company in Suzhou.
Using MSS-supplied malware, Tian infect the French company’s computers and gain access. Gu, identified as the head of Information Technology and Security at the French company facility in Suzhou, notified the Chinese intelligence group that the malware had been detected on the company computers.
The case appears to have been uncovered in May 2015 after an Oregon company that built parts for turbofan jet engines identified the Chinese malware and removed it from its networks.
The FBI’s San Diego office conducted the investigation and the case is being prosecuted by the office of the U.S. Attorney for the Southern District of California.
Other companies listed in the indictment that were targeted and hacked were identified as a Massachusetts-based aerospace company; a British aerospace company with offices in Pennsylvania; a British aerospace company with offices in New York; a multinational conglomerate that produces commercial and consumer products and aerospace systems; a French aerospace firm; an Arizona-based aerospace firm; an Oregon-based aerospace supplier; a critical infrastructure company in San Diego; a Wisconsin-based aerospace company; and an Australian domain registrar.
For Capstone, the Chinese used a malware called “Winnti” that sent a “beacon” to alert the hackers that the malware had been successfully installed. In another case, the Chinese used “Sakula” and “PlugX” malware.
The detection of the computer intrusions outlined in the indictment indicates that the U.S. government had been surveilling the Chinese hacking activities as they were carried out.
In a text message indicating malware had been planted in one of the targeted computers, Tian told a Chinese intelligence officer, “The horse was planted this morning.” The officer responded: “I briefed Zha about the incident in Suzhou.”
Bill Gertz is senior editor of the Washington Free Beacon. Prior to joining the Beacon he was a national security reporter, editor, and columnist for 27 years at the Washington Times. Bill is the author of seven books, four of which were national bestsellers. His most recent book was iWar: War and Peace in the Information Age, a look at information warfare in its many forms and the enemies that are waging it. Bill has an international reputation. Vyachaslav Trubnikov, head of the Russian Foreign Intelligence Service, once called him a “tool of the CIA” after he wrote an article exposing Russian intelligence operations in the Balkans. A senior CIA official once threatened to have a cruise missile fired at his desk after he wrote a column critical of the CIA’s analysis of China. And China’s communist government has criticized him for news reports exposing China’s weapons and missile sales to rogue states. The state-run Xinhua news agency in 2006 identified Bill as the No. 1 “anti-China expert” in the world. Bill insists he is very much pro-China—pro-Chinese people and opposed to the communist system. Former Defense Secretary Donald H. Rumsfeld once told him: “You are drilling holes in the Pentagon and sucking out information.” His Twitter handle is @BillGertz.