China-linked Cyberspies Turbine PANDA Targeted Aerospace Firms for Years
October 19, 2019 Share

China-linked Cyberspies Turbine PANDA Targeted Aerospace Firms for Years

Security researchers at Crowdstrike conducted long-running cyber-espionage operations aimed at various aerospace firms. According to the experts the cyber espionage operations begun in January 2010, after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) selected U.S.-based CFM International to provide a custom engine (LEAP-1C) for its C919 aircraft. The researchers attributed the attacks to a China-linked threat actor tracked as TURBINE PANDA who targeted multiple companies that manufactured the C919’s components between 2010 and 2015. The operations are traceable back to the MSS Jiangsu Bureau, the same unit blamed for the 2015 U.S. Office of Personnel Management (OPM) breach.

“However, the C919 can hardly be seen as a complete domestic triumph, because it is reliant on a plethora of foreign-manufactured components. Likely in an effort to bridge those gaps, the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919’s various components.” reads a blog post published by Crowdstrike.

Researchers noticed that in August 2016, both COMAC and AVIC became the main shareholders of the Aero Engine Corporation of China (AECC/中国航空发动机集团), which produced the CJ-1000AX engine. Experts claim that CJ-1000AX is quite similar to the LEAP-1C, its dimensions and turbofan blade design demonstrate it.

Researchers suspect that the aircraft maker benefited information obtained through cyberespionage campaigns carried out over the years.

“The actual process by which the CCP and its SOEs provide China’s intelligence services with key technology gaps for collection is relatively opaque, but what is known from CrowdStrike Intelligence reporting and corroborating U.S. government reporting is that Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs.” continues Crowdstrike.

The hackers targeted multiple companies that were involved in the supply of components for the project, including Honeywell and Safran.

The Turbine Panda cyberespionage group used multiple malware to compromise the systems of the target organizations, the researchers reported the involvement of the PlugX RAT, the Winnti backdoor, and the Sakula malware.

Researchers identified a HUMINT element to the JSSD’s espionage operations against the targets in the aerospace industry that were involved in the project.

“In February 2014, one of our own blogs described the relationship between cyber activity in 2012 against Capstone Turbine and an SWC targeting Safran/Snecma carried out by TURBINE PANDA, potentially exposing the HUMINT-enabled cyber operations described in some of the indictments.” reads the report published by the experts. “As described in the ZHANG indictment, on 26 February 2014, one day after the release of our “French Connection” blog publicly exposed some of TURBINE PANDA’s operations, intel officer XU texted his JSSD counterpart, cyber director CHAI, asking if the domain ns24.dnsdojo.com was related to their cyber operations. That domain was one of the few controlled by cyber operator lead LIU, and several hours after CHAI responded to XU’s text that he would verify, the domain name was deleted”

According to the report, in November 2013, the JSSD Intelligence Officer Xu Yanjun recruited a Safran Suzhou insider named Tian Xi.

Tian Xi delivered the Sakula malware to the target company using a USB drive with the Sakula malware on it, in January 2014.

Despite Xu Yanjun, the Sakula developer Yu Pingan, and two individuals working as insiders have been arrested, the cyber espionage campaigns have not ceased.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike concludes. “Similar to the procedure for developing the C919, the JV is currently taking bids for an aircraft engine that will be used until a Chinese-Russian substitute can take its place; this appears likely to be the CJ2000, an upgraded version of the CJ-1000AX used in the C919.”

This post China-linked Cyberspies Turbine PANDA Targeted Aerospace Firms for Years originally appeared on Security Affairs.

Read More