Crowdstrike experts published volumetric reportdedicated to the development of Chinese aircraft Comac C919. According to the company, Chinese hackers, employees of the country's Ministry of State Security, information security researchers and many others joined forces to create this airliner.
The purpose of this large-scale operation was to obtain intellectual property and development that would help China narrow the technological gap in the aviation industry so that Chinese state-owned aerospace manufacturer Comac could build its own airliner that could compete with industry giants such as Airbus and Boeing. So, according to researchers, the resulting intellectual property was necessary for the production of all C919 components within China.
According to the Crowdstrike report, the Ministry of State Security (MSS) assigned this task to the Jiangsu Bureau (MSS JSSD). There, in turn, the attacks were delegated to two leading employees who were supposed to coordinate the common efforts. One of them was directly responsible for the work of the hacker team, while the second found insiders working in aviation and aerospace companies.
In the period from 2010 to 2015, this hacking team successfully hacked companies such as Ametek, Honeywell, Safran, Capstone Turbine, GE and so on.
Interestingly, according to crowdstrike and US Department of Justice MSS used a different approach for this operation. So, the hack group, which the researchers called Turbine Panda, did not consist of proven cyber operatives from among the military: instead, local hackers and information security researchers, including well-known underground circles, were recruited for work. Then they were instructed to find an entry point to the target networks, where they usually used such malware as Sakula, PlugX and Winnti, using malware to search for confidential information and its theft.
It is reported that in the vast majority of cases, hackers used a malicious program specifically designed for these attacks. This malware is named Sakula, and it was developed by information security specialist Yu Pingan as a legitimate tool.
In rare cases where Turbine Panda members could not find a loophole for entering the network, the second coordinator from JSSD MSS entered into the matter. He found and hired a Chinese citizen working for the target company and used his services to host Sakula on the victim’s network (usually via a USB stick).
Crowdstrike analysts write that Turbine Panda can be called extremely effective. So, in 2016, after almost six years of constant attacks on foreign aviation companies, Aero Engine Corporation of China (AECC) introduced the CJ-1000AX engine, which will be used in the C919 liner under development, and will replace the engine created by a foreign contractor.
Experts have already noted that the CJ-1000AX shows many similarities (one, 2) with the LEAP-1C and LEAP-X engines manufactured by CFM International, a joint venture of the American company GE Aviation and the French aerospace firm Safran, thereby a foreign contractor who worked on the engines for the C919.
Crash Turbine Panda
The attention of the US authorities was drawn to Turbine Panda after attacks on such large targets as the healthcare provider Anthem and the U.S. Office of Personnel Management, OPM. Although these hacks brought a lot of useful data to hackers, including for the recruitment of future insiders, they also provoked a large-scale investigation.
The first law enforcement officers calculated and arrested insiders in 2017, as they were easier to spot, and they did not have the protection of the Chinese government, since they acted on foreign territory. Then, in the same year, while attending a Los Angeles security conference was arrested creator of the malvari Sakula, who was later accused of involvement in hacker attacks on Anthem and OPM. In response to the arrest of Yu Pingan, the Chinese government banned their specialists to participate in foreign security conferences, fearing that US authorities may take other "assets" in their hands.
And if at first these arrests looked rather strange, it was soon published report Record future, which shed light on the fact that the Chinese Ministry of State Security has extensive connections on the Chinese cybersecurity scene, accumulates and hides information about vulnerabilities discovered by Chinese information security experts, and then these problems are used in practice before they are publicly disclosed hackers MSS.
Apparently, the last nail in the lid of the Turbine Panda coffin in 2018 became an arrest Xu Yanjun, the JSSD MSS officer in charge of recruiting foreign companies. The US authorities hope that he will cooperate with the investigation to commute the sentence.
According to Crowdstrike, the remaining Turbine Panda members have now moved to other Chinese hack groups, including Emissary Panda, Nightshade Panda, Sneaky Panda, Gothic Panda, Anchor Panda and so on. However, analysts believe that in the future, attacks on foreign aviation companies will continue, since the Comac C919 is not at all as good and successful as the Chinese government expected. Efforts are already underway to create the next version of the airliner, the C929.
Researchers also note that cyber-espionage attacks on the aerospace industry are a completely non-unique phenomenon and similar efforts are made to attack enterprises and organizations from many other industries, from the marine industry to the production of equipment, from scientific research to biotechnology.