Security researchers have correlated the activity of a Chinese hacker group known for targeting aerospace companies to a multi-year espionage effort by China\u2019s intelligence agencies to further the development of the country\u2019s C919 aircraft, an airliner designed to compete with similar planes from Airbus and Boeing.The Comac C919 is a narrow-body twinjet airliner whose development started in 2008 and had its first maiden flight in 2017 after various delays due to technological issues. While being touted as a Chinese-made aircraft, the plane uses many components supplied by aerospace companies from Europe and North America.Between 2010 and 2015, coinciding with the plane\u2019s development, researchers from CrowdStrike tracked a China-based group they dubbed Turbine Panda that launched cyberespionage attacks against several of the companies that supply C919 components. They now believe this was part of a coordinated effort by China to bridge the technology gap needed to produce the same components locally by state-owned enterprises.Evidence indicates that effort was coordinated by the JSSD, the Jiangsu Bureau of China\u2019s Ministry of State Security (MSS), and that it combined traditional espionage by recruiting insiders in targeted companies, as well as cyber intrusions by Turbine Panda.\u201cFrom August 2017 until October 2018, the DoJ [the U.S. Department of Justice] released several separate but related indictments against Sakula developer YU Pingan, JSSD Intelligence Officer XU Yanjun, GE Employee and insider ZHENG Xiaoqing, U.S. Army Reservist and assessor JI Chaoqun, and 10 JSSD-affiliated cyber operators in the ZHANG et. al. indictment,\u201d CrowdStrike said in a new report released today.A broad, coordinated effort to collect aerospace IP\u201cWhat makes these DoJ cases so fascinating is that, when looked at as a whole they illustrate the broad but coordinated efforts the JSSD took to collect information from its aerospace targets. In particular, the operations connected to activity CrowdStrike Intelligence tracked as Turbine Panda showed both traditional human-intelligence (HUMINT) operators and its cyber operators working in parallel to pilfer the secrets of several international aerospace firms,\u201d the report stated.Sakula is a malware program that CrowdStrike believes is unique to Turbine Panda and JSSD, even though Turbine Panda has also used other Trojans like PlugX and Winnti that are shared by other Chinese APT groups.Sakula developer YU Pingan was arrested by the FBI in 2017 while attending a security conference in the U.S. and soon after the MSS issued orders to prevent Chinese security researchers from participating in conferences and capture-the-flag competitions overseas.\u201cIn years prior to that directive, Chinese teams\u2014such as those from Qihoo 360, Tencent and Baidu\u2014had dominated overseas competitions and bug bounties including Pwn2Own and CanSecWest, earning thousands of dollars in cash rewards for their zero-day exploits for popular systems such as Android, iOS, Tesla, Microsoft and Adobe,\u201d CrowdStrike said. \u201cInstead, the companies these researchers work for were required to provide vulnerability information to the China Information Technical Security Evaluation Center (CNITSEC). CNITSEC was previously identified by CrowdStrike Intelligence and other industry reporting as being affiliated with the MSS Technical Bureau and it runs the Chinese National Information Security Vulnerability Database (CNNVD), which was outed for its role in providing the MSS with cutting-edge vulnerabilities likely for use in offensive operations.\u201dAccording to CrowdStrike, many of the individuals named in the DoJ indictments and believed to be part of Turbine Panda have storied histories in the Chinese hacking circles dating back to at least 2004, indicating recruitment by Chinese intelligence of competent black hat hackers.The Zhang indictment indicates that the cyber intrusions were overseen by Chai Meng, who managed the JSSD\u2019s cyber operations, and Liu Chunliang, who maintained the infrastructure for the attacks. Liu was also the one who sourced the Sakula malware from its developer, Yu, as well as another piece of malware called IsSpace that is associated with another Chinese APT group tracked as Samurai Panda.Links to Anthem, OPM breachesBoth Sakula and IsSpace were used in the 2015 breaches at medical insurer Anthem and the United States Office of Personnel Management (OPM), which are already believed to be related based on industry reports. The attackers\u2019 techniques and procedures used in the Anthem breach bear a strong resemblance to those employed in a previous intrusion at Ametek, a US-based provider of electronic instruments and one of Turbine Panda\u2019s victims. These connections suggest that JSSD was behind the Anthem and OPM breaches.\u201cEven with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China\u2019s key strategic goals has seemingly outweighed the consequences to date,\u201d the CrowdStrike researchers said.\u201cThe reality is that many of the other cyber operators that made up Turbine Panda operations will likely never see a jail cell,\u201d they said, concluding that the arrests are unlikely to \u201cdeter Beijing from mounting other significant cyber campaigns designed to achieve leapfrog development in areas of strategic importance.\u201dCompanies from the aerospace sector remain of interest to Chinese hackers and the attacks against them are likely to continue. In 2017, after C919\u2019s maiden flight, the Aero Engine Corporation of China (AECC) and Russia\u2019s United Aircraft Corp (UAC) announced a joint venture to design a new aircraft dubbed CR929, a wide-body jet that will compete with the Airbus 350 and Boeing 787.Like with the C919, the CR929\u2019s engines, onboard electrical systems and other components will initially need to be sourced from foreign suppliers. CrowdStrike warns that companies bidding on those contracts \u201cmay face additional targeting from China-based adversaries that have demonstrated the capability and intent to engage in such intellectual property theft for economic gain.\u201d\u201cIt is unclear whether Russia, a state that also has experienced cyber operators at its disposal, would also engage in cyber-enabled theft of intellectual property related to the CR929,\u201d the company said.