The US Department of Justice says a hacking spree targeting American and European aircraft technology companies, allegedly by Chinese intelligence officers, involved infiltrating an Australian domain registrar.
US prosecutors have charged 10 Chinese nationals and their alleged co-conspirators, who it claims were attempting to steal intellectual property, including confidential business information related to a turbofan engine used in commercial airliners.
The January, 2010, to May, 2015, alleged intrusions by a foreign intelligence arm of China’s Ministry of State Security (MSS) came as a Chinese state-owned aerospace company was working to develop a comparable engine for use in aircraft manufactured in China and elsewhere.
The 21-page unsealed indictment does not reveal the name of the Australian domain registrar.
It only refers to it as “Company L”.
“This action is yet another example of criminal efforts by the MSS to facilitate the theft of private data for China’s commercial gain,” US Attorney for the Southern District of California, Adam Braverman, said.
“The concerted effort to steal, rather than simply purchase, commercially available products should offend every company that invests talent, energy and shareholder money into the development of products.”
The indictment describes how on August 28, 2013, alleged hacker Liu Chunlian sent accused malware developer Ma Zhiqi a link to a news article that explained how the Syrian Electronic Army had hacked into the computer systems of Australia’s “Company L” in order to facilitate intrusions.
Syrian Electronic Army is a group of hackers supporting Syrian President Bashar al-Assad.
The indictment details how the Chinese hackers, just weeks after the Syrian Electronic Army’s Australian attack, allegedly used the same method to hack into the computer systems of Company L and hijack the domain names of Company H (a San Diego-based technology company).
The hacked Australian domain registrar hosted the San Diego company’s domain names.
“On December 3, 2013, a member of the conspiracy installed Sakula malware on Company H’s computer network and caused the malware to send a beacon to a doppelganger domain name under the control of one or more members of the conspiracy,” the indictment states.
“Notably, the doppelganger domain name was designed to resemble the real domain of Company A (a Massachusetts-based aerospace company), which had previously been hacked by members of the conspiracy.
“Between December 3, 2013, and January 15, 2014, members of the conspiracy accessed approximately 40 computer systems operated by Company H and installed a variety of malware, including Sakula, Winnti, and PlugX, to steal Company H’s data.”