U.S. Indicts 9 Chinese Cyber Spies

Hackers targeted U.S. turbofan jet engine tech for Chinese jetliner

Chinese flag
Getty Images

The Justice Department announced the indictment of nine people on Tuesday linked to a Chinese cyber intelligence operation targeting aerospace technology.

The nine people, including intelligence officers, state-controlled hackers, and recruited agents inside companies were linked to computer intrusions at U.S. and European companies and the theft of turbofan jet engine technology used in commercial airliners.

The operation was directed by cyber spies operating out of the Jiangsu Province branch of the Ministry of State Security, the civilian spy service, based in Nanjing, China, and known as the JSSD.

Two MSS officers indicted in the case were identified as Zha Rong and Chai Meng, who worked with state-controlled Chinese hackers and insiders working for targeted aerospace companies.

The MSS hacker team under the direction of the two MSS officers were identified as Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi.

The Justice Department did not say where the nine people are or whether any have been arrested.

"From January 2010 to May 2015, JSSD employees, along with individuals working at the direction of the JSSD, conspired to steal sensitive commercial technological, aviation, and aerospace data by hacking into computers in the United States and abroad," states the indictment dated Oct. 25 and unsealed on Tuesday.

The cyber espionage indictment followed the unprecedented arrest earlier this month of an MSS operative from the Jiangsu MSS, Yanjun Xu, who was extradited to the United States from Belgium.

Xu was not named in the indictment, indicating he may not be related to the case announced Tuesday. However, it is possible he may have given up the names of the MSS cyber espionage network.

The Justice Department said in a statement that the targeted jet engine technology was being developed jointly between U.S. and French companies.

The French firm was operating in Suzhou, Jiangsu province, China. Only one of the companies, Capstone Turbine, was identified by name.

Two indicted Chinese hackers, Gu Gen and Tian Xi "hacked the French aerospace manufacturer" with the assistance of the MSS, the statement said.

"The hackers also conducted intrusions into other companies that manufactured parts for the turbofan jet engine, including aerospace companies based in Arizona, Massachusetts, and Oregon," the Justice statement said.

As the intrusions took place a Chinese state-owned aerospace company was working on building a comparable jet engine for use in a Chinese-made commercial airliner.

Another hacker, Zhang Zhang-Gui and Chinese national Li Xiao were charged in a separate hacking operation that gained access to a San Diego-based technology companies.

"For the third time since only September, the National Security Division, with its U.S. Attorney partners, has brought charges against Chinese intelligence officers from the JSSD and those working at their direction and control for stealing American intellectual property," said John C. Demers, assistant attorney general for National Security.

"This is just the beginning. Together with our federal partners, we will redouble our efforts to safeguard America’s ingenuity and investment," he added.

The indictment is the latest incident in increasingly tense relations between Washington and Beijing.

President Trump has imposed $200 billion in tariffs on Chinese goods as a result of what the Trump administration has said are China's unfair trade practices and illicit theft of American technology.

The president has vowed to keep pressuring Beijing and may add another $250 billion tariffs.

The Chinese hacking operation involved the use of various techniques, including the use of spear phishing emails and multiple strains of malicious software that allowed them to gain access to company computer networks.

The hackers also used hijacked company websites known as "water holes" that draw unsuspecting computer operators to the sites and fool them into giving up network access credentials.

The first hack took place around Jan. 8, 2010, against Capstone Turbine, a Los Angeles gas turbine manufacture.

The San Diego technology company was targeted by Chinese intelligence from August 2012 to January 2014 in a watering hole attack aimed at stealing commercial date.

The Chinese also were able to co-opt company employees in conducting the cyber economic espionage.

Two Chinese nationals working for Tian and Gu worked for the French aerospace company in Suzhou.

Using MSS-supplied malware, Tian infect the French company's computers and gain access. Gu, identified as the head of Information Technology and Security at the French company facility in Suzhou, notified the Chinese intelligence group that the malware had been detected on the company computers.

The case appears to have been uncovered in May 2015 after an Oregon company that built parts for turbofan jet engines identified the Chinese malware and removed it from its networks.

The FBI's San Diego office conducted the investigation and the case is being prosecuted by the office of the U.S. Attorney for the Southern District of California.

Other companies listed in the indictment that were targeted and hacked were identified as a Massachusetts-based aerospace company; a British aerospace company with offices in Pennsylvania; a British aerospace company with offices in New York; a multinational conglomerate that produces commercial and consumer products and aerospace systems; a French aerospace firm; an Arizona-based aerospace firm; an Oregon-based aerospace supplier; a critical infrastructure company in San Diego; a Wisconsin-based aerospace company; and an Australian domain registrar.

For Capstone, the Chinese used a malware called "Winnti" that sent a "beacon" to alert the hackers that the malware had been successfully installed. In another case, the Chinese used "Sakula" and "PlugX" malware.

The detection of the computer intrusions outlined in the indictment indicates that the U.S. government had been surveilling the Chinese hacking activities as they were carried out.

In a text message indicating malware had been planted in one of the targeted computers, Tian told a Chinese intelligence officer, "The horse was planted this morning." The officer responded: "I briefed Zha about the incident in Suzhou."