Cyber espionage campaign helped China acquire intellectual property behind C919 airplane

CrowdStrike claims Chinese authorities largely stole the technology behind China's first passenger airliner, the Comac C919

A coordinated cyber espionage campaign running over several years helped China to acquire intellectual property needed to design and build its own C919 airplane.

That's according to a report by CrowdStrike [PDF], which claims that this particular cyber espionage campaign was part of China's coordinated effort to bridge the technology gap in the aviation industry and to help the Commercial Aircraft Corporation of China (Comac) build its C919 airplane.

According to CrowdStrike, the ambitious hacking operation also saved billions of dollars for the Asian giant by copying technical details of the components that were eventually used in the C919 airliner.

The development of China's Comac C919 twinjet aircraft was started in 2008, and after several delays, the plane finally completed its first maiden flight in 2017. Although C919 is touted as a China-made airliner, it uses a large number of components supplied by aerospace companies from North American and Europe.

According to CrowdStrike, between 2010 and 2015, its researchers tracked a Chinese hacking group it dubbed Turbine Panda, which carried out a series of cyber attacks against a number of hi-tech companies, which supplied components for C919 plane.

The report claims that the responsibility to carry out the operation was on Jiangsu Bureau (JSSD), which was selected by the Ministry of State Security (MSS) for this particular operation.

To coordinate cyber espionage efforts, JSSD selected two lead officers: one was tasked to recruit insiders working at foreign aviation firms, while the other was in-charge of the hacking team (Turbine Panda).

Between 2010 and 2015, Turbine Panda group successfully breached C919 suppliers, including Safran, Capstone Turbine, Ametek, Honeywell, GE, and others. It deployed malware, such as PlugX, Sakula, and Winnti, on their machines, which was then used to search for intellectual property and exfiltrate their trade secrets to remote servers.

In some cases, insiders were also used to plant malware, such as Sakula, on targets' networks, largely via USB drives.

In 2016, after about six years of persistent hacking, the Aero Engine Corporation of China (AECC) unveiled a new home-made CJ-1000AX engine that was set to replace the C919 engine from CFM.

According to CrowdStrike, the CJ-1000AX engine showed many similarities to the LEAP-1C and LEAP-X engines produced by CFM International, the foreign contractor that supplied turbine engines for the C919.

CrowdStrike researchers believe it is likely that Comac and the Aviation Industry Corporation of China "benefited significantly from the cyber efforts of the MSS [Ministry of State Security], knocking several years and potentially billions of dollars off of its development time."

US authorities have arrested at least four individuals so far in connection with China's hacking aero-industry campaign.

One of them is Xu Yanjun, the officer who is thought to have been in-charge of recruiting insiders at targeted aerospace firms.

Yu Pingan, the developer of the Sakula malware, was arrested by FBI in 2017, while he was attending a security conference in the US.