fresnel6 - Fotolia

Researchers reveal the cyber campaign that built China's new airliner

CrowdStrike has published details of a coordinated campaign of cyber espionage and hacking, forced technology transfer and physical theft as China seeks to gain an advantage in the commercial aviation industry

China’s efforts to reduce its reliance on Airbus and Boeing to supply its rapidly expanding aviation fleet have been bolstered by a coordinated, five-year campaign using both traditional and cyber espionage techniques, according to intelligence from CrowdStrike.

In a newly published blog post, CrowdStrike said it was a rarity in cyber security to know the full scope of a campaign, however a mixture of US Department of Justice (DoJ) indictments and its own research had given it “startling visibility” into China’s intelligence operations, and even enabled the firm to publicly name some of the people responsible.

China is well on its way to becoming the world’s biggest aviation market by 2022, according to the International Air Transport Association (IATA), and as such the state-owned Commercial Aircraft Corporation of China (Comac) has developed the C919 airliner, which is supposed to cost less than half the amount of its competitors, and made its maiden flight in 2017.

However, the C919 is by no means wholly made in China – it includes components from Western suppliers such as GE, Honeywell, Kidde and Rockwell Collins among others – and between 2010 and 2015 several of these companies appear to have been targeted by a Chinese state-aligned actor dubbed Turbine Panda by CrowdStrike.

Almost immediately after Comac signed a deal with CFM International (a joint venture between GE and France’s Safran) to produce a variant of their Leap-X engine for the C919 (the Leap-1C), Crowdstrike claimed the Chinese government tasked Comac and another company, the Aviation Industry Corporation of China (Avic)m with producing a domestically built version.

This is the CJ-1000AX, which seems to bear multiple similarities to the Leap-1C, including dimensions and turbofan blades. CrowdStrike said it was highly likely that Comac and Avic “benefited significantly from the cyber efforts of the MSS [Ministry of State Security], knocking several years and potentially billions of dollars off of its development time.”

A mix of CrowdStrike’s intelligence and US government reporting has shown that Beijing used a “multi-faceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage” to acquire the information wanted.

“Specifically, state-owned enterprises are believed to help identify major intelligence gaps in key projects of significance that China’s intelligence services then are likely tasked with targeting firms that had technologies pertaining to the Leap-X engine and other components of the C919, based on timing and the details revealed in the DoJ indictments” wrote the report’s authors.

“For example, the first preparatory activity in January 2010 believed to be associated with Turbine Panda targeted Los Angeles-based Capstone Turbine and began just a month after choosing CFM as its engine provider.”

Capstone was targeted through the Jiangsu MSS bureau (JSSD) using a combination of techniques, including compromising its servers, using a doppelganger site as a strategic web compromise, and DNS hijacking. Others, such as Honeywell and Safran, were targeted using two China-based PlugX and Winnti advanced persistent threats (APTs), and a malware strain, known as Sakula, unique to a JSSD group.

At the same time, the report revealed, human intelligence (Humint) operations targeted Western aerospace firms through two cover organisations. The Humint operation included insiders and Chinese students, among them agents tasked with installing malware on Safran’s networks via a USB drive.

“It remains to be seen whether the high-level Sino-US trade negotiations will result in limiting Beijing’s ability to speed its aviation development through JVs, forced technology transfer, Humint operations, or cyber-enabled theft of IP,” CrowdStrike’s researchers concluded.

“[However] the unprecedented visibility into how the MSS and its cyber operators enhance China’s leapfrog development coming at this time is more than just a coincidence.”

Earlier in October, Context Information Security identified a newly emergent threat group – which it named Avivore – as being behind a number of supply chain attacks on Airbus, and posited links to the Chinese government based on noted similarities between its method of attack and known Chinese groups, and some other factors. Among some of the intellectual property targeted at Airbus was technical information relating to the A350 airliner, and some military projects.

Read more about state-sponsored hacking

Read more on Hackers and cybercrime prevention