Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US Again Indicts Chinese Intel Agents Over Hacking

Scheme Sought to Steal Data on Turbofan Engines, Saving on Development Costs
US Again Indicts Chinese Intel Agents Over Hacking
Indictments against Chinese intelligence officers and associates may signal a breach of an agreement reached on intellectual property hacking between former President Barack Obama and Chinese President Xi Jinping. (Source: The White House)

The Justice Department says two Chinese intelligence officers and eight others were indicted for stealing trade secrets intended to help the country shortcut the development of a turbofan airplane engine plus other technology.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

A grand jury indicted the group in June 2017, but the indictment was only filed in federal court in San Diego on Oct. 18. The department announced it on Tuesday.

The unsealed indictment

The indictment comes as tension over intellectual property hacking has risen again between the U.S. and China. That's despite a landmark agreement struck in September 2015 between U.S. President Barack Obama and Chinese President Xi Jinping, which aimed to put intellectual property off-limits for cyber spies (see: U.S., China Reach Cyber Agreement).

Prosecutors allege the group used a variety of techniques, ranging from spear phishing to malware to bogus look-a-like domains, to gain deep access into 13 companies, including Capstone Turbines of Los Angeles.

Most of the companies are unnamed aerospace suppliers. Two are in the U.K., one is in France and the rest are in U.S. states, including Arizona, Massachusetts, Oregon, Wisconsin and California. The hacking was allegedly aimed at allowing for the development of similar turbofan engines within China without incurring research and development costs.

The indictment marks the third time since September that the U.S has brought charges against Chinese intelligence officers and other associates for alleged theft of intellectual property.

Familiar Attack Playbook

The officers, Chai Meng and Zha Rong, work for the Jiangsu Province Ministry of State Security in Nanjing. The department is a provincial foreign intelligence arm of the People's Republic of China's Ministry of State Security, the Justice Department says.

The two men are accused of orchestrating an extensive scheme running between January 2010 to May 2015 that recruited other hackers to gain access to companies as well as recruiting insiders to plant malware.

They used a familiar playbook, the indictment indicates.

"The hackers used a range of techniques, including spear phishing, sowing multiple different strains of malware into company computer systems, using the victim companies' own websites as 'watering holes' to compromise website visitors' computers, and domain hijacking through the compromise of domain registrars," the indictment says.

The malware included Sakula, IsSpace, Winnti and PlugX.

'I'll Bring The Horse'

Chinese intelligence managed to recruit two employees of an unnamed French aerospace company that had an office in Suzhou, which is in Jiangsu province, prosecutors allege.

One of the men, Gu Gen, was the company's infrastructure and security manager, and another, Tian Xi, was a product manager. Both are named in the indictment.

Prosecutors allege that a Jiangsu Province Ministry of State Security officer met with Tian at a restaurant in Suzhou in mid-November 2013. Later that month, prosecutors say the officer set up a plan to meet Tian and give him Trojan horse malware to be installed on the French company's systems.

"I'll bring the [Trojan] horse to you tonight," the indictment quotes the intelligence officer as saying. "Can you take the Frenchmen out to dinner tonight? I'll pretend I bump into you at the restaurant to say hello. This way we don't need to meet in Shanghai."

In January 2014, Tian allegedly texted the intelligence officer: "The horse was planted this morning."

Recent Charges

On Oct. 10, the Justice Department announced that an alleged Chinese Ministry of State Security officer had been charged with economic espionage and attempting to steal trade secrets.

The man, Yanjun Xu, was arrested in Belgium and extradited to the U.S. He's accused of stealing data from "multiple U.S. aviation and aerospace companies."

Although computer security experts noticed a decline in Chinese activity following the agreement with the U.S in 2015, incidents such as the case against Xu suggest the environment is changing again.

In the press release about Xu's arrest, Assistant Attorney General for National Security John C. Demers said: "This case is not an isolated incident. It is part of an overall economic policy of developing China at American expense."

The Justice Department also says that in September, a U.S. Army recruit was charged with allegedly working "as an agent of a JSSD intelligence officer, without notification to the Attorney General."


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.