According to CNN, the C919’s first flight left Shanghai at 10:32 am. Sunday and landed at the Beijing Capital International Airport at 12:31 p.m. This is being hailed as an important moment in China’s strategy to boost domestic manufacturing by 2025 and reduce reliance on foreign companies in the aviation sector.

While manufactured in China, many of the airplane’s components do come from Western companies. Leading to further scrutiny of the aircraft’s development are allegations that a Chinese state-aligned adversar conducted cyber intrusions against several of those companies that make the C919’s components. These allegations are detailed in a lengthy and detailed 2019 report from cybersecurity firm CrowdStrike as well as a series of indictments against both cyber actors and insiders.

CrowdStrike could not be reached for comment, so this article is sourced entirely from the firm’s report and U.S. Department of Justice indictments.

In CrowdStrike’s report, the company says its research corroborates a series of DOJ indictments released over the course of two years during the C919’s development that highly suggests cyber actors from China, company insiders and state directives targeted foreign companies to fill key technology and intelligence gaps to better compete with against the western aerospace industry.

“What follows is a remarkable tale of traditional espionage, cyber intrusions, and cover-ups, all of which overlap with activity CrowdStrike Intelligence has previously attributed to the China-based adversary TURBINE PANDA,” CrowdStrike said in the 2019 report, alleging that the operations can be traced back to China’s Ministry of State Security’s (MSS) Jiangsu Bureau, the alleged perpetrators of the infamous 2015 U.S. Office of Personnel Management (OPM) breach.

Cyberattacks beginning in 2010

According to CrowdStrike, Turbine Panda, conducted cyber intrusions against between 2010 and 2015 against foreign manufacturers of aviation components, including many that were chosen for the C919.

The state-owned enterprise (SOE) Commercial Aircraft Corporation of China announced in December 2009 that it had chosen CFM International’s (a joint venture between U.S.-based GE Aviation and French aerospace firm Safran, formerly Snecma) LEAP-X engine to provide a custom variant engine, the LEAP-1C, for the then-newly announced C919.

Despite the deal, both COMAC and fellow SOE the Aviation Industry Corporation of China were believed to be tasked by China’s State-owned Assets Supervision and Administration Commission of the State Council (SASAC) with building an “indigenously created” turbofan engine that was comparable to the LEAP-X, CrowdStrike says in its report. In 2016, the Aero Engine Corporation of China produced the CKJ-1000AX engine, which bears multiple similarities to the LEAP-1C engine.

While CrowdStrike admitted that it is difficult to assess if the Chinese engine is a direct copy, the cybersecurity firm said it is highly likely that its makers benefitted significantly from the cyber campaign of the Jiangsu Bureau of the MSS (JSSD).

CrowdStrike, citing its own intelligence reporting and U.S. government sources, says the Chinese government uses a “multi-faceted system” of forced technology transfer, joint ventures, physical theft from insiders and cyber espionage to acquire information to fill key knowledge gaps.

One DOJ indictment, CrowdStrike says, describes initial preparatory action that included compromising Los Angeles-based Capstone Turbine servers and later using a doppelganger site as a strategic web compromise (SWC) in combination with DNS … to compromise other aerospace firms.”

From 2010 to 2015, the linked JSSD operators are believed to have targeted a variety of aerospace-related targets … using two China-based APT favorites, PlugX and Winnti, and malware assessed to be unique to the group dubbed Sakula.

Many individuals associated with the campaign are “assessed to have storied histories in legacy underground hacking circles within China dating back to at least 2004,” CrowdStrike says, citing the DOJ.

Indictments

As detailed in CrowdStrike’s report, the U.S. Department of Justice released several indictments from 2017 through October 2018, charging several individuals with activities related to theft of trade secrets and hacking related to the development of the C919.

The indictments were against Sakula developer YU Pingan, JSSD Intelligence Officer XU Yanjun, GE employee and insider ZHENG Xiaoqing, U.S. Army Reservist and assessor JI Chaoqun, and 10 JSSD-affiliated cyber operators.

“What makes these DoJ cases so fascinating is that, when looked at as a whole, they illustrate the broad, but coordinated efforts the JSSD took to collect information from its aerospace targets,” CrowdStrike says in its report. “In particular, the operations connected to activity CrowdStrike Intelligence tracked as TURBINE PANDA showed both traditional human-intelligence (HUMINT) operators and its cyber operators working in parallel to pilfer the secrets of several international aerospace firms.”

Insiders

CrowdStrike and the DOJ also detail how insiders and IT employees helped steal information and coverup the cyber activities, offering new insight into how adversaries leverage a wide variety of tools and techniques to accomplish their goals.

According to CrowdStrike and the DOJ, a GE insider was charged with using “an elaborate and sophisticated means” to steal GE trade secrets after being recruited by a Chinese aerospace official closely aligned with the country’s Ministry of Industry and Information Technology.

In addition, IT employees at the Canada-based International Civil Aviation Organization (ICAO), the United Nations body that sets global aviation standards, allegedly covered up a cyber intrusion by another alleged China state-sponsored actor that had been observed targeting the aviation industry.

CrowdStrike, citing public reporting, says the intrusion at ICAO was “likely designed to facilitate a strategic web compromise (SWC) attack … that would easily provide a springboard to target a plethora of other aerospace-related as well as foreign government victims.”

“Upon being alerted to the breach by the Aviation Information Sharing and Analysis Center (AISAC), the ICAO internal IT investigation staff was reportedly grossly negligent, and the cyber intruders may have had direct access to one of their superuser accounts,” CrowdStrike says in its report. “In addition, a file containing a list of all the potential organizations who were compromised by the incident mysteriously disappeared during further investigations.”

Both the ICAO IT supervisor in charge of the mishandled internal investigation and the ICAO’s secretary general who shelved recommendations to investigate the IT supervisor and his four team members, were both found by CrowdStrike to have ties to China’s aviation industry, CrowdStrike says.

Takeaways from four years later

This article is just a snippet of CrowdStrike’s reporting and what Turbine Panda and other associated groups are alleged to have done to help boost the Chinese aviation sector. But more than that, it tells the tale of how advanced persistent threat (APT) groups and other sophisticated threat actors will go to extraordinary means to accomplish their end goals.

That includes advanced hacking techniques, leveraging insiders, physical theft and collaborating with the massive underground cybercrime community to launch multi-faceted attacks against a particular organization or industry.

The post The Cyberattacks and Insider Threats During The Development of China’s C919 Passenger Jet appeared first on My TechDecisions.

Microsoft says Volt Typhoon is pursing development of capabilities that could disrupt critical communications infrastructure between the U.S. and Asia region during future crises. Although Microsoft’s research blog doesn’t mention Taiwan or the escalating tensions between the U.S. and China over the country, cyberattacks are now essentially expected to be a part of international crises after the cyberattacks that preluded Russian’s invasion of Ukraine.

Volt Typhoon’s victims

According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the U.S. Affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors.

Volt Typhoon relies on stealth and almost exclusively living-off-the-land techniques and hands-on-keyboard activity to stay undetected. The group issues commands via the command line to collect data and credentials from local and network systems, put the data into an archive file to stage for exfiltration and uses stolen credentials to maintain persistence, researchers say.

The group also leverages compromised small office and home office (SOHO) network routers, firewalls and VPN hardware to route traffic through in an attempt to blend into normal network activity. The group also uses custom versions of open-source tools to establish a command-and-control channel over proxy to stay under the radar, Microsoft researchers say.

Volt Typhoon’s initial access

Volt Typhoon gains initial access to victim environments through internet-facing Fortinet FortiGuard devices, but Microsoft researchers don’t exactly know how, per the blog.

“Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices,” researchers write.

From there, the elleged China-based hacking group leverages privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and attempts to authenticate to other devices on the network with those credentials.

How Volt Typhoon evades detection

The elite China hacking group proxies its network traffic to its targets through compromised SOHO network edge devices, including routers.

“Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet,” Microsoft researchers say.

In a separate advisory from the U.S. National Security Agency, officials get more specific about the device types, listing ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices. Owners of those network edge devices should ensure that management interfaces aren’t exposed to the public internet.

According to the NSA, Volt Typhoon further obscures activity by having their command-and-control traffic emanate from local ISPs in the geographic area of the victim.

Volt Typhoon’s discovery and data exfiltration

Once inside a target’s environment, Volt Typhoon uses the command line to conduct hands-on-keyboard activity. The group rarely uses malware, researchers say. Instead, they use living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data.

According to Microsoft, the alleged Chinese hacking group also uses a variety of legitimate tools, including the Local Security Authority Subsystem Service to dump credentials, the command-line tool Ntdsutil.exe to create installation media from domain controllers, and PowerShell, Windows Management Instrumentation Command-line and the ping command to discover other systems on the network.

According to the NSA, the group also exploits CVE-2021-40539 a vulnerability in ManageEngine ADSelfService Plus, and CVE-2021-27860, a vulnerability in the management interface of FatPipe WARP, IPVPN and MPVPN.

Read Microsoft’s blog and the NSA advisory for more information, including indicators of compromise and recommended actions.

The post Microsoft, NSA Warn of Stealthy China-Sponsored Hacking Group Volt Typhoon appeared first on My TechDecisions.

With the likes of Apple, Amazon, Google and Microsoft calling the U.S. home, I thought we were for sure leading the world in AI technologies. I was also sure that the U.S. government and its national security experts were utilizing the technology to its fullest extent.

According to Reuters, I’m wrong, and the U.S. is falling behind China, which is investing more than the U.S. in AI.

The outlet’s write-up of the release of the National Security Commission’s report suggests that the U.S. needs to invest more in research and education to apply the technology to national security missions.

The National Security Commission on Artificial Intelligence (NSCAI), created by Congress last year, raised concerns about the progress China has made in this area. It also said the U.S. government still faces enormous work before it can transition AI from “a promising technological novelty into a mature technology integrated into core national security missions.”

The commission thinks an allied effort on AI in the realm of national security is important, Robert Work, vice chairman of the NSCAI and a former deputy secretary of defense, told reporters. The NSCAI has spoken with Japan, Canada, the United Kingdom, Australia and the European Union, Work said.

China is investing more than the United States in AI, said the report, which referred to the Asian nation more than 50 times.

“China takes advantage of the openness of U.S. society in numerous ways – some legal, some not – to transfer AI know-how,” the report said, at a time of heightened tensions between the countries.

According to Reuter’s sources, China is ahead in facial recognition technologies for surveillance and financial technology. However, the West is overall more conducting more advanced research overall.

The article also noted the geopolitical implications of continuing or not continuing to collaborate with Chinese researchers on this technology.

There are far more applications and uses for the technology than government and military applications, and governments around the world should invest in every use of the technology.

There are clear ethics issues with AI and other emerging technology, so governments should proceed with AI Investing cautiously, but they should also let the market and science dictate where the technology is applied.

The post Report: U.S. is Behind China in AI Investing appeared first on My TechDecisions.