Feds: Chinese spies orchestrated massive piracy that stole secrets from aviation

Federal prosecutors on Tuesday unveiled accusations of two Chinese government intelligence officers and eight co-conspirators alleged to have committed computer intrusions in 13 companies to steal designs of a dual-flow engine used in commercial aircraft.

A 21-page indictment filed in a district court in the Southern District of California in the United States said that the Ministry of State Security of Jiangsu Province, a branch of the Ministry of Security of State of the People's Republic of China, had led the five-year campaign. According to the indictment, between January 2010 and May 2015, the team would have used a wide range of methods to penetrate the computer networks of companies involved in the manufacturing of products aerospace and turbines and in Internet and technological services. Their main objective was to steal data that would allow a Chinese government-owned company to design its own airliner. With the exception of Capstone Turbines, a LA-based gas turbine manufacturer, other targeted companies were not identified by name and were referred to as A to L only.

"The conspiracy members were targeting, among other things, data and information relating to a dual flow engine used in commercial airliners," wrote the prosecutor in the previous indictment. "At the time of the intrusions, a Chinese state-owned aerospace company was working to develop a comparable engine for commercial aircraft built in China and elsewhere."

The turbofan engine targeted by the conspiracy members was developed as part of a partnership between Company I and a US-based aerospace company. As described below, the conspiracy members hacked company I and other companies manufacturing parts for the turbojet engine, including companies A, F and G, in order to steal sensitive data from those companies that could be used by Chinese entities to build the same, similar engine without incurring substantial research and development expenditures.

The so-called conspirators have combined various hacking techniques to form an extremely effective campaign. According to the indictment, they registered "doppelganger" domain names, such as capstonetrubine.com, which look a lot like the legitimate domain names of aerospace companies. In other cases, prosecutors said, the accused infected the actual business websites. They would then turn malicious domains into water points by sending phishing emails aimed at directing targets to infected websites or doppelganger. When the targets complied, they were infected.

Trained by the Syrian Electronic Army

In August 2013, a named defender had sent another article to a press article explaining how a group of hackers calling themselves the Syrian electronic army had hacked into an Australian domain registrar for the purpose of facilitating others. hacks. (Although the indictment does not provide details, the incident almost certainly involved the hijacking of nytimes.com by the group, first by the hacking of Melbourne IT, the domain registrar based on nytimes.com in Australia.) the plot used the same tactic to hack again the Australian registry office, this time to hijack the domain names of one of the technology companies targeted.

In addition to spear phishing, watering points, malware and hijacking, the accused also hired employees from some of the targeted companies to infect corporate networks and provide investigation information. One of the defendants, Gu Gen, was a Chinese infrastructure and security officer working in the office of a French aerospace manufacturer targeted in Suzhou, Jiangsu Province. . In January 2014, conspiracy members allegedly infected a Gu laptop company computer with a malicious program called Sakula, which communicated with the domain ns24.dnsdojo.com. A month later, US law enforcement authorities discovered the infection and informed the French authorities.

"The French are asking Little Gu [Company I’s IT manager] to review the file: ns24.dnsdojo.com, "said a Chinese intelligence officer in a text to one of the defendants, according to the indictment. "Do you guys care?" A few hours later, prosecutors said, a conspiracy member erased the ns24.dnsdojo.com domain name to prevent the plot from being revealed. .

The indictment is the third time since September that federal prosecutors have appointed Chinese intelligence officers as indicted criminals for US companies.

"This is just the beginning," John C. Demers, Deputy Attorney General for National Security, said in a statement. "We will redouble our efforts to preserve America's ingenuity and investments with our federal partners."