US charges two Chinese intelligence officers 'and their team of hackers'

Department of Justice charges Chinese nationals for hacks on US and French aviation companies.

Written by Catalin Cimpanu, Contributor on Oct. 30, 2018

The US Department of Justice has charged today ten Chinese nationals for conspiring to hack and steal intellectual property and confidential data from US and European companies.

Security

The DOJ says that two of the ten are Chinese intelligence officers, six served as hackers, and two were insiders at a French aerospace manufacturer.

"The charged intelligence officers, Zha Rong and Chai Meng, and other co-conspirators, worked for the Jiangsu Province Ministry of State Security ('JSSD'), headquartered in Nanjing, which is a provincial foreign intelligence arm of the People's Republic of China's Ministry of State Security ('MSS')," the DOJ said today in a press release.

US officials claim that between January 2010 to May 2015, the two JSSD intelligence officers "and their team of hackers" focused their efforts on stealing technology related to a new turbofan engine developed by an unnamed French aerospace manufacturer and a US-based counterpart.

The DOJ alleges that with help from the two insiders, the JSSD intelligence officers coordinated a team of five hackers in hacking the French company and stealing its proprietary turbofan engine technology. The two insiders, identified as Tian Xi and Gu Gen, played a central and crucial role in the hack of the French company, according to the DOJ.

US investigators say the two insiders worked for the French company's Chinese office in the city of Suzhou, in China's Jiangsu province. US officials claim that Tian infected the French company's Suzhou office network with malware it received from one of the JSSD officers, while his partner, Gu, was the one that alerted JSSD officers after foreign law enforcement notified the Suzhou office of harboring malware. The DOJ says that this tip-off allowed one of the JSSD officers and one of his hackers to delete a domain that linked the malware to the JSSD.

Furthermore, US investigators say the five hackers --identified as Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi-- also breached other aerospace companies based in Arizona, Massachusetts, and Oregon --all which manufactured parts for the turbofan engine technology they were initially tasked to steal.

Hacks spanned five years, targeted multiple companies in a coordinated manner, and employed a wide variety of techniques, ranging from infections with custom-made malware, to basic spear-phishing campaigns and to hijacking victims' official websites and using them for "watering hole" attacks.

The DOJ believes that the stolen information was used to aid an unnamed Chinese state-owned aerospace company develop "a comparable engine."

The indictment also names a sixth hacker, named Li Xiao, who worked with one of the JSSD hackers, Zhang Zhang-Gui, to hack into a San Diego-based technology company for their personal gains. Li allegedly received and used JSSD-developed malware from Zhang.

A timeline of the hacks, according to the DOJ indictment, is below:

Jan. 8, 2010 - Hackers breach Capstone Turbine, a Los-Angeles-based gas turbine manufacturer, in order to steal data and use the Capstone Turbine website as a "watering hole."
Aug. 7, 2012 to Jan. 15, 2014 - Hackers tried to hack into a San Diego-based technology company to steal commercial information and use its website as a "watering hole."
Jan. 25, 2014 - Tian plants JSSD-developed malware on the French aerospace company's Suzhou office network.
Feb. 26, 2014 - Gu alerts JSSD that foreign law enforcement has detected malware on its network. JSSD deletes crucial domain linking it to the malware.
May 2015 - an Oregon-based company that manufactured parts for the turbofan engine identified and removed the JSSD's malware from its computer systems.

According to the indictment, the ten accused are:

Zha Rong - a Division Director in the JSSD who supervised and directed human intelligence in the operation.
Chai Meng - aka "Cobain," a JSSD Section Chief who served as a point of contact with the hackers and insiders.
Zhang Zhang-Gui - aka "leanov" or "leaon," a hacker who tested spear-phishing messages and maintained some of the hacking infrastructure.
Liu Chunliang - aka "sxpdlcl," a hacker who "established, maintained, and paid for infrastructure used in multiple intrusions, deployed malware, and engaged in domain hijacking."
Gao Hong Kun - aka "mer4en7y," a hacker who operated under Liu. Involved in the Captstone Turbine hack.
Zhuang Xiaowei - aka "jpxxav," a hacker and malware developers who operated under Liu.
Ma Zhiqi - aka "Le Ma," a hacker who assisted in several hacks.
Gu Gen - an insider at the French company's Suzhou office, where he server as IT Security head.
Tian Xi - an insider at the French company's Suzhou office, where he server as product manager.
Li Xiao - a hacker friend of Zhuang. He received JSSD malware from Zhuang and used it for personal gains.

None of the 10 accused suspects are in US custody.

At the start of the month, the US also arrested and extradited a high-ranking director in China's Ministry of State Security (MSS) after the official had attempted to recruit several insiders from multiple US aviation and aerospace companies. The DOJ mentioned the arrest, but did not say that they were related.

Interesting notes:

The malware that Tian installed on the French company's Suzhou office network was the Sakula malware, the same strain of malware also used in the Anthem, OPM, and other similar hacks. The malware, a remote access trojan, is known to be a powerful tool in the arsenal of Chinese state-sponsored hackers.
One of the hacker nicknames --Gao's "mer4en7y"-- has been previously linked by a Kaspersky 2013 report to a Chinese state-sponsored group known as Winnti, universally known to be associated with Chinese state-sponsored operations focused on intellectual property theft across the globe.