Feds say campaign hacked 13 firms in bid to help Chinese state-owned aerospace company.

An alleged hacking conspiracy targeted designs for a turbofan engine similar to this one.

Federal prosecutors on Tuesday unsealed charges that accused two Chinese government intelligence officers and eight alleged co-conspirators of conducting sustained computer intrusions into 13 companies in an attempt to steal designs for a turbofan engine used in commercial jetliners.

A 21-page indictment filed in US District Court in the Southern District of California said the Jiangsu Province Ministry of State Security, an arm of the People’s Republic of China’s Ministry of State Security, directed the five-year campaign. According to the indictment, between January 2010 to May 2015, the team allegedly used a wide range of methods to break into the computer networks of companies involved in aerospace and turbine manufacturing and Internet and technology services. Their primary goal was stealing data that would allow a Chinese government-owned company to design its own jetliner. With the exception of Capstone Turbines, a Los Angeles-based gas turbine maker, other targeted companies weren’t identified by name and were referred to only as companies A through L.

“Members of the conspiracy targeted, among other things, data and information related to a turbofan engine used in commercial jetliners,” prosecutors wrote in the superseding indictment. “At the time of the intrusions, a Chinese state-owned aerospace company was working to develop a comparable engine for use in commercial aircraft manufactured in China and elsewhere.” The indictment continued:

The turbofan engine targeted by members of the conspiracy was being developed through a partnership between Company I and an aerospace company based in the US. As described herein, members of the conspiracy hacked Company I and other companies that manufactured parts for the turbofan engine, including Companies A, F, and G, to steal sensitive data from these companies that could be used by Chinese entities to build the same or similar engine without incurring substantial research and development expenses.

The alleged conspirators combined a variety of hacking techniques to mount a highly effective campaign. According to the indictment, they registered “doppelganger” domain names such as capstonetrubine.com that closely resembled the legitimate domain names of aerospace companies. In other cases, prosecutors said, the defendants infected the websites of real companies. They then allegedly turned the malicious domains into watering holes by sending spear phishing emails that directed targets to visit the doppelganger or infected websites. When targets complied, they were infected.

Schooled by the Syrian Electronic Army

In August 2013, one named defendant sent another a news article that explained how a hacking group calling itself the Syrian Electronic Army hacked an Australian domain registrar in a bid to facilitate other hacks. (While the indictment doesn’t provide specifics, the incident almost certainly involved the group’s reported hijacking of nytimes.com by first hacking Melbourne IT, the nytimes.com Australia-based domain registrar.) In early December 2013, prosecutors said, members of the conspiracy used the same tactic to hack the Australian registrar again, this time to hijack domain names of one of the targeted technology companies.

Besides using spear phishing, watering holes, malware, and domain hijackings, prosecutors said, the defendants also recruited employees of some of the targeted companies to infect corporate networks and provide intelligence about investigations. One of the defendants, Gu Gen, was a Chinese infrastructure and security manager working in a targeted French aerospace manufacturer’s office in Suzhou, Jiangsu Province. In January 2014, conspiracy members allegedly infected a laptop in Gu’s company with malware, dubbed Sakula, which communicated with the domain ns24.dnsdojo.com. A month later, US law enforcement authorities discovered the infection and notified French authorities.

“The French are asking Little Gu [Company I’s IT manager] to inspect the record: ns24.dnsdojo.com,” a Chinese intelligence officer allegedly said in a text to one of the defendants, according to the indictment. “Does it concern you guys?” Several hours later, prosecutors said, a member of the conspiracy deleted the domain name ns24.dnsdojo.com in an attempt to keep the conspiracy from coming to light.

The indictment is the third time since September that federal prosecutors have named Chinese intelligence officers as defendants in criminal hacks against US companies.

“This is just the beginning,” John C. Demers, assistant attorney general for national security, said in a release. “Together with our federal partners, we will redouble our efforts to safeguard America’s ingenuity and investment.”