3 - Provincial Ministry of Security Involved in Hacking Scheme

The PRC has many instances of economic espionage but very rarely are they linked directly to government organizations as explicitly as in 2018. In this instance, hackers and insiders were alleged to be working for the Jiangsu Province Ministry of State Security (JSSD). This branch of the Chinese Ministry of State Security represents the Jiangsu Province, the capital of which is Nanjing. The PRC tends to have hubs for specific industries in specific provinces as part of their military-civil fusion strategy. Jiangsu Province is known for exporting electronic equipment and other high-tech goods and it one of the wealthiest provinces in China.

The Department of Justice states that the JSSD hired a team of hackers comprised of Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi. Their primary responsibility was to steal technology related to turbofan engines, namely those used in commercial aircraft. To facilitate this, the group hacked into a French aerospace manufacturer’s office in Suzhou, Jiangsu Province. Additionally, this engine technology was in development with American aerospace manufacturers which meant the hackers were able to gain access to other companies involved in the manufacturing of the turbofan engine.

These hacks included companies in three states: Arizona, Massachusetts, and Oregon. During the investigation, justice department officials concluded that a separate Chinese state-owned enterprise working in aerospace was working to develop a similar engine. According to the justice department, the hackers used the following methods to intrude companies and steal their data: “spear phishing, sowing multiple different strains of malware into company computer systems, using the victim companies’ own websites as ‘watering holes’ to compromise website visitors’ computers, and domain hijacking through the compromise of domain registrars.”

While the team of hackers was the primary tool used to obtain this information, the operation included efforts to recruit members of the U.S. Army to cooperate with JSSD intelligence agents as well as employees of foreign companies. In the instance of the French company based in Suzhou, two employees named Tian Xi and Gu Gen were recruited by the JSSD to employ malware onto the network in the Suzhou office. When the malware was discovered, “conspirators Chai Meng and Liu Chunliang tried to minimize JSSD’s exposure by causing the deletion of the domain linking the malware to an account controlled by members of the conspiracy.”

Lastly, Zhang Zhang-Gui was charged, as well as his co-conspirator, Li Xiao, with supplying malware used to hack Capstone Turbine. Li used the malware, amongst other things, to repeatedly intrude the networks of Capstone and a San Diego-based IT firm.