The US Justice Department has charged two Chinese spies with stealing jet engine blueprints through a series of online hacks over the course of five years.
Zha Rong and Chai Meng work for the Chinese government's state security ministry (JSSD), the US government claims, and collaborated with six hackers and two moles at the Chinese office of a French aerospace company to steal the plans, the indictment reveals.
The spies used a variety of online hacking techniques including spear phishing, malware and domain hijacking to steal employee logins and hack their way further into the company's computer systems - as well as those of a number of other aerospace companies based in the United States.
Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?READ MORE
The hacking process was carefully planned and long-lived. Initially they registered domain names very similar to those of legitimate aerospace companies (for example 'capstonetrubine.com' for Capstone Turbine (the 'u' and 'r' being transposed)) and then sent emails to specific employees from email accounts associated with those domains, so legitimate employees thought they were real.
Once the hacking team had employee logins, they created legitimate email accounts and used them to contact others. There were a few mistakes that investigators found, including that one of the hackers used his own personal email account to test the new legitimate email account.
They then installed malware on different companies' servers to pull off a so-called "watering hole" attack where it tracked and hacked visitors to the company's real website. They also compromised an unnamed Australian registrar to redirect real companies' domains.
Start your engines
Although the French company is unnamed in the indictment [PDF], it is almost certainly Safran, which has been working with General Electric in the US to develop a new type of engine, LEAP, for large commercial jetliners.
The Sakula malware was installed on the systems of Safran's Chinese subsidiary directly by employees. Sakula is the same malware that was used to hack the US Office of Personnel Management (OPM) last year, again apparently by a Chinese spy.
Eventually, over the course of five years, the hacking team was able to gain access to systems run by other aerospace companies based in Arizona, Massachusetts and Oregon that manufactured parts of the turbofan jet engine and grab confidential plans. China currently buys its jet engines from the US and Europe and has been trying for years to produce its own domestic jet engine.
It's not clear when the US authorities grew aware of the hacking efforts but they were then able to get hold of text messages from the Chinese spies that confirmed the conspiracy – presumably through one of the NSA's mass surveillance programs.
Those text messages form part of the indictment. A notable one is in 2014 when the one of the Chinese spies asked the hacking team if they had recently sent a spear phishing email out because his mole inside Safran told him that the company management has just warned employees to look out for fake emails.
"I just met with Xiao Gu. Gu said that [Safran] was warning people about a fake email from company top management. Did you guys write the email?" One of the hacking team got back: "We sent a fake email pretending to be from network management. "
The US government named the hackers it claims are responsible: Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi. It named the two Chinese citizens that worked at Safran's Chinese office that assisted the hackers as Tian Xi and Gu Gen.
"State-sponsored hacking is a direct threat to our national security," said U.S. Attorney Adam Braverman. "The concerted effort to steal, rather than simply purchase, commercially available products should offend every company that invests talent, energy, and shareholder money into the development of products."
Earlier this month, the DoJ announced that a JSSD intelligence officer has been extradited to Ohio on related charges and in September in Illinois, a US Army recruit was charged with working as an agent of a JSSD intelligence officer.
China, for its part, claims that the indictment and the accusations of spying within it are "pure fiction and totally fabricated." ®
Sponsored: Ransomware has gone nuclear