• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

 | 

United Natural Foods Expects $400M revenue impact from June cyber attack

 | 

Cisco patches critical CVE-2025-20337 bug in Identity Services Engine with CVSS 10 Severity

 | 

UNC6148 deploys Overstep malware on SonicWall devices, possibly for ransomware operations

 | 

Operation Eastwood disrupted operations of pro-Russian hacker group NoName057(16)

 | 

Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network

 | 

Former US Army member confesses to Telecom hack and extortion conspiracy

 | 

CVE-2025-6554 marks the fifth actively exploited Chrome Zero-Day patched by Google in 2025

 | 

DDoS peaks hit new highs: Cloudflare mitigated massive 7.3 Tbps assault

 | 

U.S. CISA adds Wing FTP Server flaw to its Known Exploited Vulnerabilities catalog

 | 

Android Malware Konfety evolves with ZIP manipulation and dynamic loading

 | 

Belk hit by May cyberattack: DragonForce stole 150GB of data

 | 

North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

 | 

FBI seized multiple piracy sites distributing pirated video games

 | 

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

 | 

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Intelligence
  • Malware
  • China-linked cyberspies Turbine PANDA targeted aerospace firms for years

China-linked cyberspies Turbine PANDA targeted aerospace firms for years

Pierluigi Paganini October 18, 2019

Security firm revealed that China-linked APT group Turbine Panda conducted cyber-espionage operations aimed at various aerospace firms for years.

Security researchers at Crowdstrike conducted long-running cyber-espionage operations aimed at various aerospace firms. According to the experts the cyber espionage operations begun in January 2010, after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) selected U.S.-based CFM International to provide a custom engine (LEAP-1C) for its C919 aircraft. The researchers attributed the attacks to a China-linked threat actor tracked as TURBINE PANDA who targeted multiple companies that manufactured the C919’s components between 2010 and 2015. The operations are traceable back to the MSS Jiangsu Bureau, the same unit blamed for the 2015 U.S. Office of Personnel Management (OPM) breach. 

“However, the C919 can hardly be seen as a complete domestic triumph, because it is reliant on a plethora of foreign-manufactured components. Likely in an effort to bridge those gaps, the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919’s various components.” reads a blog post published by Crowdstrike.

Researchers noticed that in August 2016, both COMAC and AVIC became the main shareholders of the Aero Engine Corporation of China (AECC/中国航空发动机集团), which produced the CJ-1000AX engine. Experts claim that CJ-1000AX is quite similar to the LEAP-1C, its dimensions and turbofan blade design demonstrate it.

Researchers suspect that the aircraft maker benefited information obtained through cyberespionage campaigns carried out over the years.

“The actual process by which the CCP and its SOEs provide China’s intelligence services with key technology gaps for collection is relatively opaque, but what is known from CrowdStrike Intelligence reporting and corroborating U.S. government reporting is that Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs.” continues Crowdstrike.

The hackers targeted multiple companies that were involved in the supply of components for the project, including Honeywell and Safran.

Turbine Panda China

The Turbine Panda cyberespionage group used multiple malware to compromise the systems of the target organizations, the researchers reported the involvement of the PlugX RAT, the Winnti backdoor, and the Sakula malware.

Researchers identified a HUMINT element to the JSSD’s espionage operations against the targets in the aerospace industry that were involved in the project.

“In February 2014, one of our own blogs described the relationship between cyber activity in 2012 against Capstone Turbine and an SWC targeting Safran/Snecma carried out by TURBINE PANDA, potentially exposing the HUMINT-enabled cyber operations described in some of the indictments.” reads the report published by the experts. “As described in the ZHANG indictment, on 26 February 2014, one day after the release of our “French Connection” blog publicly exposed some of TURBINE PANDA’s operations, intel officer XU texted his JSSD counterpart, cyber director CHAI, asking if the domain ns24.dnsdojo.com was related to their cyber operations. That domain was one of the few controlled by cyber operator lead LIU, and several hours after CHAI responded to XU’s text that he would verify, the domain name was deleted”

According to the report, in November 2013, the JSSD Intelligence Officer Xu Yanjun recruited a Safran Suzhou insider named Tian Xi.

Tian Xi delivered the Sakula malware to the target company using a USB drive with the Sakula malware on it, in January 2014.

Despite Xu Yanjun, the Sakula developer Yu Pingan, and two individuals working as insiders have been arrested, the cyber espionage campaigns have not ceased.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike concludes. “Similar to the procedure for developing the C919, the JV is currently taking bids for an aircraft engine that will be used until a Chinese-Russian substitute can take its place; this appears likely to be the CJ2000, an upgraded version of the CJ-1000AX used in the C919.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – China Turbine Panda, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

China Cyberespionage hacking news information security news Intelligence Pierluigi Paganini Security Affairs Security News Turbine Panda

you might also like

Pierluigi Paganini July 17, 2025
Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen
Read more
Pierluigi Paganini July 17, 2025
United Natural Foods Expects $400M revenue impact from June cyber attack
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

    Data Breach / July 17, 2025

    United Natural Foods Expects $400M revenue impact from June cyber attack

    Security / July 17, 2025

    Cisco patches critical CVE-2025-20337 bug in Identity Services Engine with CVSS 10 Severity

    Security / July 17, 2025

    UNC6148 deploys Overstep malware on SonicWall devices, possibly for ransomware operations

    Hacking / July 17, 2025

    Operation Eastwood disrupted operations of pro-Russian hacker group NoName057(16)

    Cyber Crime / July 16, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT