Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/31/2018
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Chinese Intel Agents Indicted for 5-Year IP Theft Campaign

Intelligence agents aimed for aerospace manufacturing targets, with help of cyberattackers, corporate insiders, and one IT security manager.

Chinese intelligence agents – as well as cyberattackers and corporate insiders working at their direction – were indicted for a series of intrusions and intellectual property thefts that targeted American and European aerospace companies for at least five years.

According to an indictment unsealed by the US Department of Justice Tuesday, the attacks were directed by agents from the Jiangsu Province Ministry of State Security (JSSD), which is a provincial foreign intelligence arm of the People’s Republic of China’s Ministry of State Security. Specifically, JSSD divisional director Zha Rong allegedly oversaw the operation and recruited corporate insiders. In addition, JSSD section chief Chai Meng served as the main point of contact for Liu Chunliang, a cyberattacker who coordinated the work done at the JSSD's behest and paid for the attack infrastructure.

In all, the group successfully infiltrated 13 companies, according to the indictment. However, the attacks appeared to center around locating and stealing information related to a turbofan engine used in commercial airliners in the US and Europe. The turbofan was developed by a US-based company and a French aerospace manufacturer with an office in Suzhou, in the Chinese province of Jiangsu. A China state-owned company was working to build a similar engine at the time, according to the indictment.

Two Suzhou-based employees were named in the indictment: Tian Xi and the company's IT and security manager, Gu Gen, both of whom were reportedly recruited by Zha. Among other things, Tian installed the Sakula malware on the corporate machines and Gu tipped off fellow conspirators when law enforcement had detected malware on the systems, so the group could take action to minimize its exposure.

The attackers and malware developers who allegedly worked under the coordination of Liu were Zhang Zhang-Gui, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi. 

From at least January 2010 to May 2015, the group used a variety of methods to compromise the 13 target companies: spear-phishing, water hole attacks, domain hijacking, dynamic DNS, doppelganger domain names, aid of malicious insiders, and a range of malware, including Sakula, IsSpace, Winnti, and PlugX.

The first company, Los Angeles-based gas turbine manufacturer Capstone Turbines, was infiltrated in January 2010. Attackers then set up a fraudulent email account on the Capstone server, as well as compromising its Web server and using its website for watering hole attacks. 

By 2013, the conspirators were closer to the turbofan manufacturer when Tian and JSSD's Zha allegedly staged a meeting in a restaurant to exchange a Trojan horse. "I'll bring the horse [i.e., Trojan horse malware] to you tonight," Zha wrote to Tian. "Can you take the Frenchmen out to dinner tonight? I'll pretend I bump into you at the restaurant to say hello."

Liu and Zhang are also charged in a separate attack, which used variants of malware developed for the Capstone Turbines attack to compromise a San Diego-based technology company. 

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:27:35 PM
SMCI, FWIW
Just putting this out there. For all the doubt and dubiousness out there about Bloomberg's Supermicro story, the fact that these type of intricate, coordinated, in-depth, deep-cover IP-theft campaigns are conducted by nation-state actors so as to fully understand US technology as deeply as possible means that it is thoroughly feasible that hardware firms have been infiltrated such that nation-state actors understand the technology enough to custom-develop chips to be discreetly added on to those firms' hardware.

Harder to do and more expensive and resource-intensive? Sure. Is doing it through firmware easier? You bet. But it's also way harder to detect. At a certain point, the only counter-attack to defense in depth is offense in depth.
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.