Cyber Theft, Humint Helped China Cut Corners on Passenger Jet

Beijing likely saved a lot of time and billions of dollars by copying components for its C919 plane from others, a new report from CrowdStrike says.

When Chinas domestically built C919 airplane becomes commercially available sometime in the next few years, many of the components in the plane will be based on designs and intellectual property that were likely copied from other manufacturers around the world.
That assessment from CrowdStrike is based on information pieced together from multiple recent US Department of Justice indictments and from the security vendors own tracking of Turbine Panda, a China government-backed cyber espionage group that has been targeting aerospace companies since 2010.
The narrow-body C919 twinjet airliner is Chinas first homemade commercial jet and represents part of a broader Made in China 2025 initiative that is designed to make the country self-reliant in several key industries. The plane completed its maiden voyage in 2017 and is expected to hit the market at about half the cost of competitive products from the Western aerospace duopoly of Boeing and Airbus.
At least some of that will be because Turbine Panda and several other operatives helped its manufacturer — the Commercial Aircraft Corporation of China (COMAC) and the Aviation Industry Corporation of China (AVIC) — cut corners.
China is not unique in targeting aerospace companies in the US and elsewhere. Adam Meyers, vice president of intelligence at CrowdStrike, says his firm is currently tracking 40 active threat groups targeting the sector including those from China, Russia, India, Iran, and North Korea.
This is a complex problem, to address he says. Campaigns involving theft of IP and trade secrets can involve cyber operations, human intelligence, and support from national level intelligence services. There is no easy short answer, Meyer says. It needs to be addressed across public and private sector stakeholders.
According to CrowdStrike, its own intelligence and information in US DOJ indictments against key Chinese operatives in 2017 and 2018 suggest that one area where China appears to have especially benefited from outside IP is the C919s engine.
Soon after plans for the C919 were announced back in 2010, COMAC and AVIC were tasked with developing an indigenously built turbofan engine for the plane comparable to LEAP-X, an engine from GE Aviation and French aerospace company Safran. The resulting CJ-1000AX engine, which underwent formal tests last year, has multiple similarities to LEAP X, including in its dimensions and turbofan blades, CrowdStrike says.
It is difficult to assess that the CJ-1000AX is a direct copy of the LEAP-X without direct access to technical engineering specifications, CrowdStrike said in a
report
this week stitching together the DOJ information and its own research. But it is highly likely that its makers benefited significantly from Turbine Pandas cyber espionage efforts on behalf of the Jiangsu Bureau of Chinas Ministry of State Security (MSS), the vendor said.
The information that Turbine Panda and others collected from companies that have technologies pertaining to the LEAP-X engine has helped China knock off years in development time, and potentially billions of dollars in research in developing the CJ-1000AX engine, according to CrowdStrike.
Signs of Turbine Panda Activity
Signs of Turbine Pandas involvement go back to 2010 when China first announced plans for the C919 commercial jet. DOJ documents show soon after the announcement, Turbine Panda was involved in a cyberattack on Capstone Turbine, a Los Angeles-based gas turbine manufacturer. In a
February 2014
blog, CrowdStrike then drew a connection between a Turbine Panda attack on French aerospace firm Safran and one against Capstone Turbine in 2012. The blog exposed some of Turbine Pandas operations prompting the group to take evasive action, says Meyers.
Between 2010 and 2015 Turbine Panda and others working for the Jiangsu Bureau of the MSS targeted a variety of aerospace-related organizations. Among those targeted were Honeywell, Ametek, and Safran. In many of the attacks, the China-based cyber operatives used the PlugX, Winnti, and Sakula remote-access Trojans to try and steal from victims, CrowdStrike said.
In addition to the cyber efforts, Beijing operatives were engaged in a massive human intelligence (aka humint) campaign focused on stealing information that could help with the C919 project. While one arm of Chinas intelligence apparatus identified key technology gaps in the C919 program, another focused on efforts to obtain those technologies via cyber and humint efforts, CrowdStrike said.
The human intelligence efforts included one by a now-indicted MSS intelligence officer to recruit an insider at LEAP-X manufacturer General Electric. The same officer also recruited a China-born US Army reservist who was an expert at assessing turbine engine schematics.
So far, at least four individuals have been arrested in connection with Chinas campaign targeting aerospace companies. Among them is Xu Yanjun, the MSS officer who was allegedly in charge of recruiting insiders at targeted aerospace firms, and Yu Pingan, the developer of the Sakula RAT who was arrested while attending a security conference in the US. Yus arrest prompted the MSS to issue strict orders to security researchers in the country not to attend overseas conferences or Capture the Flag events, CrowdStrike reported.
Though Xus arrest in particular is likely especially significant, it is unlikely to deter Chinas attempts to leap-frog development in technology areas the country perceives as being of strategic importance, CrowdStrike said.
Related Content:
Public Exposure Does Little to Slow China-Based Thrip APT
Chinese Group Built Advanced Trojan by Reverse Engineering NSA Attack Tool
APT3 Threat Group a Contractor for Chinese Intelligence Agency
7 Signs of the Rising Threat of Magecart Attacks in 2019
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
A Murderers Row of Poisoning Attacks
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cyber Theft, Humint Helped China Cut Corners on Passenger Jet