Aerospace Sector Attacked by Chinese Intelligence, 10 Chinese Officers Indicted

Cybersecurity

Image via the Office of the National Counterintelligence Director.

The U.S. aerospace sector is squarely in the crosshairs of China’s intelligence organizations, supported by China’s state-owned enterprises and key state laboratories. In a nutshell, China is all-in as they target the public and private sector aspects of the aerospace industry.

Last week the U.S. Department of Justice (DOJ) indicted ten Chinese intelligence officers for espionage. The individuals attempted to recruit confidential sources to penetrate U.S. companies; to steal the intellectual property of U.S. companies; and to steal national security secrets from those companies engaged with the U.S. government – defense contractors.

China’s Ministry for State Security (MSS)

We discussed the modus operandi of the MSS, within the context MSS Deputy Division Director Yanjun Xu’s arrest, extradition to the U.S., and subsequent indictment in early October 2018. The targeted entity: GE Aerospace.

In addition, in late-September 2018, we saw the arrest of a recruited asset, a Chinese citizen employed in the Chicago area by an aerospace company. In addition, this individual, Ji Chaoqun, was a member of the U.S. Army reserves, having joined the reserves via the MAVNI program.

This recent indictment identifies several entities, some by name, others by geography, which the MSS was targeting. These included a California company, Capstone Turbine, and unidentified companies in Massachusetts, Arizona, Oregon and Wisconsin. Additionally, entities in the UK, France and Australia were also targeted.

The use of LinkedIn by the MSS has been well documented, most recently by France. They uncovered the MSS had engaged with over 4,000 French citizens in their attempt to forge relationship and acquired sensitive materials.

The discussion within the indictment reveals MSS methodology beyond the engagement with potential sources via LinkedIn. Indeed, over a five-year period, the MSS successfully defeated the cybersecurity defenses of a number of companies. The MSS hacked into company computers and networks to steal intellectual property and confidential business data. They successfully used: spear phishing, malware insertion, doppelganger domain names, dynamic domain name service account manipulation, domain hijacking, watering hole attacks, and co-opting victim company employees. Once in one company’s network, they would use that access to facilitate intrusion into other aerospace companies.

What and why of the MSS thievery

While one would be safe to assume that the theft of the intellectual property would be in support of China’s defense sector, evidence is provided which indicates that the theft was also designed to accelerate the Chinese competitiveness in the commercial aircraft market. China wished to use the stolen information to reduce their own research and development costs by millions (if not billions) of dollars, and thus have reduced sunk costs in the manufacture of their own commercial aircraft. They then take that aircraft, and directly compete in the global aerospace industry.

Insider threat program

Resident insider threat programs and data loss prevention programs should have revealed some of the early efforts by the MSS in 2010. For example, when the email account was configured on Capstone’s email server, they tested the account by sending a test spear phishing email to the personal email address of the Chinese MSS officer. This test demonstrated to the MSS they had successfully configured their resident email and that it could be used to deliver spear phishing emails both within Capstone, but also to other companies, which is exactly what they did. It was within these emails that doppelganger domain names were used – capstoneturbine became capstonetrubine.  When the user clicked on the link to read the referenced item, the malware placed in the “watering hole” was on its way to the targeted entity/individual.

With the use of DDNS and doppelganger domain names, both tools of cybercriminals for years, it would seem the need for defense contractors, not just those in the aerospace sector, to engage in a bit of self-monitoring by their counterintelligence teams would prudent.

The U.S. DOJ has been unleashed to pursue the prosecution of China’s intelligence activities in the U.S. We can expect more indictments and criminal complaints like this one in the future as the counterintelligence entities within the U.S. knuckle down and close the pipeline of information flowing to China.

In doing so, perhaps the clandestine theft of F-35 stealth fighter information, which was instrumental in the creation of the Chinese J20 stealth fighter, can be stemmed.

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).

More in Cybersecurity