How China Conducts Cyber Industrial Espionage

Cybersecurity specialists widely acknowledge the cyber vulnerabilities of industrial hardware supply chains as a pressing concern. However, the combination of complex supply chains and shadowy cyber threats reduces the ability of companies to mount robust cyber defenses. Companies will benefit from reading the intelligence report recently released by information security firm Crowdstrike, which sheds light on how supply chain cyber attacks occur. Combining information from United States Department of Justice indictments and its own cyber threat monitoring research, Crowdstrike developed an in-depth case study deconstructing how MSS Jiangsu Bureau, a Chinese intelligence unit, successfully executed a cyber espionage operation to steal lucrative technical secrets about a state-of-the-art turbine engine designed by major aerospace supplier CFM International. Crowdstrike’s report connects the dots between this attack and major technological upgrades later made to China’s flagship twinjet airliner, the C919.

With China expected to become the world’s largest commercial aviation market by 2022, Chinese economic planners have identified advancing internal aerospace aviation technologies as a national strategic priority. The C919, a potential competitor to market-leading commercial airliners offered by the U.S.-based Boeing and the E.U.-based Airbus, has been the focus of Chinese aerospace efforts. Despite aspirations to be the first widely-used Chinese-built airliner, the C919 still relies heavily on components from a long supply chain of foreign suppliers.

According to Crowdstrike, shortly after the Commercial Aircraft Corporation of China (COMAC) formalized a contract with CFM International (a joint venture of U.S.-based GE Aviation and France-based Safran) to procure a custom engine for the C919 in 2009, an APT (advanced persistent threat) known as TURBINE PANDA began cyber operations to pilfer data from CFM, conveying it back to COMAC to support its efforts to reverse engineer CFM International’s LEAP-X model engine. TURBINE PANDA’s efforts focused on compromising CFM International’s supply chain. It targeted several aerospace firms using multiple hacking techniques including DNS hacking and malware injections over a period of five years.  

A large human espionage operation supplemented TURBINE PANDA’S cyber incursion. The human espionage efforts were led by the Director of the MSS Jiangsu, a high-ranking Chinese intelligence officer named XU Yanjun. Using affiliations with Chinese state research institutions as a front, the officer recruited assets inside GE Aviation and the US Army to pass along sensitive information. Although some of the perpetrators of the human espionage effort were arrested and indicted by the Department of Justice, COMAC later successfully debuted an airliner engine that closely emulated CFM’s much sought-after Leap-X technology.

Despite the arrest of XU Yanjun and key associates, cyber espionage operations by Chinese APTs continue. China has cultivated large ranks of cybersecurity talent by sponsoring teams in international competitions, feeding acquired knowledge of international cyber vulnerabilities into national databases. Similarities in the methods employed in several cyber attacks show that these teams have common tools and approaches to hacking and do not rely on any small set of genius hackers. Moreover, the profitability of these attacks offers strong incentive for Chinese intelligence to continue its industrial espionage campaign. Canadian media reported in February 2019 details of a cyber attack on the UN’s Civil Aviation Organization perpetrated in November 2016. The attack on ICAO resembled TURBINE PANDA’s previous attacks and potentially released extensive technical aerospace and other proprietary information. According to Crowdstrike’s investigation of the attack, key IT personnel at ICAO had direct professional links to China’s civil aviation industry.

Topics: Information Technology, Offensive, Cyber War, Defensive, Cyber Physical Security