{ "id": "653a2c65-d994-46b0-8caf-b3a0fa37519a", "created_at": "2026-04-06T00:11:40.94821Z", "updated_at": "2026-04-10T03:34:17.247666Z", "deleted_at": null, "sha1_hash": "f4816aafcec3d40f88e04183bab5613a547d3d7b", "title": "U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace Secrets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34107, "plain_text": "U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal\r\nAerospace Secrets\r\nBy Dell Cameron\r\nPublished: 2018-10-30 · Archived: 2026-04-05 14:47:38 UTC\r\nThe U.S. Justice Department has charged two Chinese intelligence officers, six hackers, and two aerospace\r\ncompany insiders in a sweeping conspiracy to steal confidential aerospace technology from U.S. and French\r\ncompanies.\r\nFor more than five years, two Chinese Ministry of State Security (MSS) spies are said to have run a team of\r\nhackers focusing on the theft of designs for a turbofan engine used in U.S. and European commercial airliners,\r\naccording to an unsealed indictment (below) dated October 25. In a statement, the DOJ said a Chinese state-owned aerospace company was simultaneously working to develop a comparable engine.\r\n“The threat posed by Chinese government-sponsored hacking activity is real and relentless,” FBI Special Agent in\r\nCharge John Brown of San Diego said in a statement. “Today, the Federal Bureau of Investigation, with the\r\nassistance of our private sector, international and U.S. government partners, is sending a strong message to the\r\nChinese government and other foreign governments involved in hacking activities.”\r\nThe MSS officers involved were identified as Zha Rong, a division director in the Jiangsu Province regional\r\ndepartment (JSSD), and Chai Meng, a JSSD section chief.\r\nAt the direction of the MSS officers, the hackers allegedly infiltrated a number of U.S. aerospace companies,\r\nincluding California-based Capstone Turbine, among others in Arizona, Massachusetts, and Oregon, the DOJ said.\r\nThe officers are also said to have recruited at least two Chinese employees of a French aerospace manufacturer—\r\ninsiders who allegedly aided the conspiracy by, among other criminal acts, installing the remote access trojan\r\nSakula onto company computers.\r\nSakula was previously deployed by Deep Panda, a Chinese nation-state threat group, according to cybersecurity\r\nfirm Crowdstrike. Deep Panda is a leading suspect in the cyberattack on the U.S. government’s Office of\r\nPersonnel Management (OPM), revealed in June 2015, which compromised the data of 4 million current and\r\nformer federal employees. Sakula was also used in the 2015 Anthem data breach, which involved the potential\r\ntheft of roughly 80 million individuals’ personal medical records.\r\nThe indictment includes intercepted communications between MSS spies and one of the insiders, including\r\nrepeated mentions of “the horse,” an alleged reference to the Sakula malware. The hackers are also said to have\r\nused IsSpace, a trojan previously used in attacks attributed to DragonOK, a hacking group behind attacks on tech\r\ncompanies in Japan and Taiwan, according to cybersecurity firm FireEye.\r\nThe charges against the MSS officers follow the arrest in Belgium earlier this month of Yanjun Xu, an alleged\r\nChinese spy accused of likewise targeting multiple U.S. aerospace companies. Xu was extradited to the United\r\nhttps://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695\r\nPage 1 of 2\n\nStates on September 9 and will stand trial for allegedly conducting economic espionage and attempting to steal\r\ntrade secrets.\r\nSource: https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695\r\nhttps://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695" ], "report_names": [ "u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695" ], "threat_actors": [ { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434300, "ts_updated_at": 1775792057, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4816aafcec3d40f88e04183bab5613a547d3d7b.pdf", "text": "https://archive.orkl.eu/f4816aafcec3d40f88e04183bab5613a547d3d7b.txt", "img": "https://archive.orkl.eu/f4816aafcec3d40f88e04183bab5613a547d3d7b.jpg" } }