Rarely in the infosec industry do cyber investigators get the luxury of knowing the full scope of their adversary’s campaign—from tasking, to actual operations, all the way to completion. The oft-repeated mantra “Attribution is hard” largely stands true. Short of kicking down the door just as a cyber actor pushes enter, it is frustratingly hard to prove who is responsible for cyber attacks with 100% certainty. However, a series of recent U.S. Department of Justice (DoJ) indictments released over the course of two years, combined with CrowdStrike Intelligence’s own research, has allowed for startling visibility into a facet of China’s shadowy intelligence apparatus.
In this blog, we take a look at how Beijing used a mixture of cyber actors sourced from China’s underground hacking scene, Ministry of State Security (MSS/国安部) officers, company insiders, and state directives to fill key technology and intelligence gaps in a bid to bolster dual-use turbine engines which could be used for both energy generation and to enable its narrow-body twinjet airliner, the C919, to compete against western aerospace firms. What follows is a remarkable tale of traditional espionage, cyber intrusions, and cover-ups, all of which overlap with activity CrowdStrike Intelligence has previously attributed to the China-based adversary TURBINE PANDA. These operations are ultimately traceable back to the MSS Jiangsu Bureau, the likely perpetrators of the infamous 2015 U.S. Office of Personnel Management (OPM) breach.