The Department of Justice (DOJ) announced the indictment on Tuesday.
The unsealed indictment, dated 25 October, says that for more than five years – between January 2010 and May 2015 – two Chinese Ministry of State Security (MSS) spies headed up a team of hackers focused on stealing designs for the turbofan engine, as well as stealing intellectual property and confidential business information.
The engine was being developed by a French aerospace company that has an office in Suzhou, Jiangsu province, China, alongside a US-based company. The US alleges a vast conspiracy carried out by the MSS via the Jiangsu Province Ministry of State Security (JSSD): one of its provincial foreign intelligence arms.
The JSSD allegedly recruited insiders to hack the French aerospace company, as well as conducting cyber-raids on other US companies in the same industry that are based in Arizona, Massachusetts and Oregon, as well as UK companies with presences in the US.
The DOJ says that JSSD recruited two Chinese nationals, Tian Xi and Gu Gen. Gu was high up and in deep at the French company: he was, in fact, its IT infrastructure and security manager. Tian was a product manager at the same company.
In January 2014, Tian allegedly infected one of the French company’s computers with the remote access trojan (RAT) Sakula.
The Sakula RAT used against the French aerospace company was allegedly supplied by a JSSD officer. A month later, Gu gave the conspirators a heads-up when foreign law enforcement notified the company of the existence of malware on company systems.
That same day, leveraging that tip-off, one of the JSSD intelligence officers, Chai Meng, and one of the agency’s hackers, Liu Chunliang, allegedly tried to cover the JSSD’s tracks by deleting the domain linking the malware to an account controlled by the conspirators.
At the same time that the conspirators were allegedly stealing intellectual property, a Chinese state-owned aerospace company was working on developing its own engine for commercial aircraft manufactured in China and elsewhere, the DOJ says.
The indictment, in the Southern District of California, says that the JSSD’s intelligence officers and hackers masterminded a series of intrusions in order to steal non-public commercial and other data. Their techniques included spear phishing, sowing multiple different strains of malware into company computer systems, using the victim companies’ own websites as watering holes to compromise website visitors’ computers, and domain hijacking through the compromise of domain registrars.
The first company to be victimized was Capstone Turbine, a Los Angeles-based gas turbine manufacturer. It was first infiltrated in January 2010, with the conspirators allegedly stealing data and turning the company’s website into a watering hole – in other words, planting malware that would infect the computers of site visitors.
The hacking continued through at least May 2015, when an unnamed, Oregon-based aerospace company identified malware and scrubbed it from its computer systems.
Two of the defendants – Zhang Zhang-Gui and Li Xiao, allegedly members of the JSSD’s hacking team – are also being charged in a separate conspiracy that involved attacking an unnamed, San Diego-based technology company “for their own criminal ends.”
According to the US, Zhang-Gui shared malware variants with his friend, Li Xiao, that were based on the same malware supplied by the JSSD and used on Capstone Turbine. The attack on the San Diego company went on for more than one and a half years, with repeated intrusions causing thousands of dollars of damage to its computers, the indictment says.
The latest indictment is only one of a string of such, the DOJ noted., and we’re not at the end of it yet. John C. Demers, Assistant Attorney General for National Security, said in the DOJ’s announcement that this is the third time since only September that the National Security Division and US attorneys have brought charges against Chinese intelligence officers from the JSSD and those working for them as they steal US intellectual property. Stand by, he said – at the rate this is going, there’ll likely be plenty more in store:
This is just the beginning. Together with our federal partners, we will redouble our efforts to safeguard America’s ingenuity and investment.