Cold Open
A quick note before we get started. This is part four of a four-part series, which charts how China built one of the world’s most advanced cyberwarfare programs. You don’t necessarily have to listen to these episodes in order, but you’ll get more out of it if you do. And now…on with the show.
The following presentation is not suitable for young children. Listener discretion is advised.
OK, start the engine.
SFX: GE9X jet engine
In March 2017, David Zheng watched the GE9X roar to life. The 20-ton jet engine could power a Boeing 777. David helped design it—specifically, the polymer casing that housed the engine’s spinning turbine. He was wearing goggles and an orange safety vest, along with several of his fellow engineers.
Currently, the GE9X was hanging from a massive scaffolding, which took up most of the cavernous concrete hangar that made up the new testing facility at General Electric Aviation in Cincinnati.
David approached a pneumatic cannon that was aimed at the GE9X’s rotating maw. He loaded the payload--an eight-pound chicken. Then, he pulled the trigger. The cannon launched the bird carcass into the whirring blades at 450 miles per hour.
SFX: bird hitting engine
David held his breath. But the blades continued to rotate, no worse for wear. David smiled. He and his colleague shook hands. The bird strike test was a success. Competitors like Rolls Royce and Pratt Whitney had been trying to introduce jet engine composites to the market for decades, but David’s team was beating them to it.
David left the massive hangar elated and headed for his office. He loved his job. He was born in a poor rural village in China. He was the first person in his generation from the entire area to go to college. He studied at the Harbin Institute of Technology, and he’d lived in the United States since 2003. Sure, it was difficult living in a foreign country where he knew few other Chinese, but his job satisfaction more than made up for it.
David arrived at his desk, sat down, and opened his email. There was a message on LinkedIn.
David didn’t recognize the sender. Someone named Chen Feng. Chen had a pompadour haircut and he was the vice dean at the Nanjing University of Aeronautics and Astronautics, in eastern China.
Strange. David had no affiliation with it. Curious, he opened the message.
Dear Mr. Zheng. I learned from your online resume that you have accumulated a wealth of engineering experience in well-known companies such as GE Aviation. I’d love to invite you to speak at our university about your research.
David was torn. On the one hand, this was a massive ego stroke. On the other, his employer, GE Aviation, forbid its employees from discussing proprietary research with unauthorized people—especially in China. He knew that if he asked for permission, GE Aviation would never grant it.
But David figured there was no harm in giving a general discussion about his work without compromising GE. So, he decided to accept the invitation and not tell his employers.
In May, David flew to Beijing, then took a high-speed train to Nanjing. There, Chen Feng took him to a hotel. The next morning, Chen brought David to the university. Before the talk, Chen introduced him to a local Chinese government official. He was in his mid-thirties, with short hair and glasses.
Mr. Zheng, I’m Qu Hui, deputy director of the Jiangsu Provincial Association for International Science and Technology Development. It’s great to meet you.
Only, his name wasn’t really Qu Hui, and he wasn’t really a bureaucrat. But David didn’t know that.
The man calling himself Qu Hui presented David with a gift: tea packaged in a nicely wrapped box. An avid tea drinker, David was honored.
Next, Qu and Chen brought David to an auditorium filled with a few dozen students. David took out a USB stick and uploaded his presentation onto the slide projector. Vice Dean Chen walked up to the podium.
Please welcome, David Zheng from GE Aviation.
David approached the podium.
Thank you for having me. I’m part of the team working on the GE9X. My specialty is resin-fiber composites. We use these to make engines lighter.
He showed images of his designs. Yes, they were proprietary, but they were only for demonstration purposes. The students asked more and more specific questions about his research, but each time, he declined.
When the presentation was over, Vice Dean Chen and Qu Hui took him out to dinner. There, Qui Hui slid an envelope across the table. Inside was $3,500.
That should cover your travel expenses and then some.
Oh, I can’t accept that. My employer wouldn’t like it.
They don’t need to know. It’s just a small token of appreciation.
Reluctantly, David took the envelope. What was the harm?
The next day, David returned to Cincinnati. There, he realized he’d forgotten the USB stick with his presentation on it. He quickly fired off an email asking a student at the university to delete it. He hoped that would be the end of it.
But David didn’t know he was now caught up in a spying war between China and the United States, one that would nearly cost him everything.
On this episode: multinational aviation companies, Chinese spies, Marvel superheroes, diplomatic negotiations, massive data theft, and the endgame of China’s cyberwarfare program.
I’m Keith Korneluk and you’re listening to Modem Mischief.
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of Turbine Panda and part four of our series on Chinese hacking.
Act One
Remember that provincial official who gave David Zheng the tea and the money? The one who called himself Qu Hui? His real name was Xu Yanjun.
About seven years earlier, in January 2010, Xu Yanjun was sitting in a conference room at his workplace, the 20-story concrete and glass headquarters of the Nanjing branch of the Jiangsu Ministry of State Security.
Alongside him were his supervisor, Zha Rong, also known as “Little Zha,” as well as one of his colleagues, Chai Meng. Right now, they were waiting for their guest to arrive. Little Zha was bragging about a recent card game he’d won against Chai.
Xu, can you believe I took him for 2,000 yuen! Ha!
Chai blushed. Xu nodded politely. He was in no mood to get chummy with his boss. Lately, Little Zha had repeatedly refused to reimburse Xu’s expense reports. It was one of the many aggravations that made him wish he’d never taken this job.
Finally, the door opened and an executive arrived. He represented the Commercial Aircraft Corporation of China, or COMAC. A state sponsored aircraft manufacturer.
Thanks for waiting, gentlemen. Let’s get right to it.
He pulled out his laptop and opened a slideshow.
As I’m sure you know, commercial air travel in China is on the rise. Currently, our industry mostly relies on foreign-built airplanes. The C919 is going to change that…
He showed them a slide of a mock-up of the C919 passenger jet, which would be China’s first homemade commercial air liner.
It’s going to be finished within seven years.
Congratulations. Little Zha said. Why do you need us?
You may have heard that the first C919’s are being built with many foreign-made parts. That’s where you come in.
Little Zha looked over at Xu, and then at Chai. Xu was already jotting down notes on his iPhone.
For instance, there’s the LEAP-X engine. It’s built by CFM, which is a joint venture between General Electric Aviation and Safran.
Xu nodded. GE Aviation and Safran would definitely be good places to start.
This was one of the few parts of his job he genuinely enjoyed.
Xu Yanjun was born in a small village in Jiangsu province in 1980. He was the first in his family to go to college, where he studied electrical engineering. However, in 2002 his life took a different path. He joined the Communist party and became a local secretary of the Communist Youth League in Yancheng, near his hometown. He married a fellow Communist party member, and they had a child. One year later, Little Zha recruited him to join the Ministry of State Security.
Little Zha tapped Xu because the Jiangsu branch of the MSS needed spies with engineering backgrounds. Jiangsu has long been an industrial province. Since the 1980’s, both Chinese and foreign aerospace companies had set up shop there. Often, Chinese aerospace companies hired the Jiangsu MSS to hack into their foreign competitors and steal their technology—like the executive from the Commercial Aircraft Corporation of China was doing today.
As we’ve seen throughout this series, this was yet another instance of Chinese intelligence agencies working closely with the Chinese private sector.
Little Zha specialized in airplane technology, and Xu followed in his footsteps. Immersing himself in dense technical jargon only made him miss his engineering days. The deeper he got, the more he wished he could be an aerospace engineer instead of a spy.
Alas, there was much to be done. After their meeting with the COMAC executive, Xu and his team got to work pilfering technology from American and other foreign companies.
Little Zha would run the operation. Chai Meng would coordinate the malware. They’d use a remote access trojan horse program called Sakula. This was a nasty piece of work that, once installed on a target computer, would allow the MSS to access it remotely.
Sakula hid inside update files for programs like Adobe Self Extractor or Microsoft Hotfix, or inside the code of Internet Explorer. In the latter case, the hackers would build a dummy website that mimicked a target website. Then, anyone who visited the fake site would unwittingly upload Sakula to their computer. This was called a “Watering Hole” attack.
For Xu, it didn’t really matter how the malware worked, just that it did. His job was simple, relatively speaking.
More than 10 million Chinese live overseas. Some have jobs at American corporations, and many have high-level technical expertise.
To some within the Chinese Communist Party, any person with Chinese heritage is obligated to serve and protect their homeland. These Chinese engineers, physicists, software developers, and others living overseas could be useful—with the right persuasion.
Xu’s job would be to recruit these Chinese overseas and convince them to funnel technology back to China. And he’d do it through the local universities.
These would provide cover. Many Chinese technical universities actually began as military facilities. The seven biggest Chinese technical schools are called the Seven Sons of National Defense, including Xu’s local school, the Nanjing University of Aeronautics and Astronautics.
So, the ties between universities and the national security sector ran deep. Little Zha and Xu worked closely with Chen Feng, the pompadoured vice dean at the Nanjing University of Aeronautics and Astronautics, both to recruit students to join the MSS, as well as to lure Chinese technical experts to give presentations in their homeland.
Their first known hack in coordination with the development of the C919 passenger plane came in January 2010, when they targeted a Los Angeles-based company called Capstone Turbine with a watering hole attack.
Their next known attack targeted Safran. It’s a French aerospace corporation, and one of the two companies that was making the LEAP-X engine for the first generation C919.
Safran had a manufacturing facility in Suzhou, another major industrial city in Jiangsu province. By late 2013, Xu recruited two operatives who would get jobs at Safran’s Suzhou facility. One was Gu Gen. He was an IT specialist, and he was able to quickly infect the Suzhou facility’s servers with the Sakula malware. But this only affected the Suzhou manufacturing facility. The MSS still needed to hack into Safran’s home servers in France.
That was where Xu’s other recruit came in. He was named Tian Xi, and he was a manufacturing engineer. Tian Xi was put on the team assembling the LEAP-X engines. These were manufactured in France and then assembled at the Suzhou facility. The project manager was a Frenchman named Fredric Hascoet. Periodically, Hascoet traveled from France to Suzhou to oversee the project, and Tian Xi was his primary contact.
Xu sensed that Hascoet could be the conduit into Safran’s home computer network—which would give them access to the LEAP-X designs.
Xu needed Tian Xi to infect Hascoet’s laptop with Sakula. But to do that, he needed to get Tian Xi a USB drive with Sakula on it. He considered bumping into Tian Xi while he was out at a restaurant with Hascoet and handing off the USB drive then, but they scrapped that plan for being too risky.
It’s unknown exactly how Tian Xi did it. But on the day Hascoet returned to France, he texted Xu a message:
The horse is planted this morning.
They were in.
Only…their victory was short-lived. Once Hascoet returned to France in January 2014, Safran’s antivirus software detected the malware and refused to let his laptop boot up.
Safran recognized this for what it was: an intrusion attempt. France’s General Directorate for Internal Security opened an investigation, as did Safran itself.
And this was where Gu Gen came in handy. The Suzhou IT specialist and Ministry of State Security operative deleted every trace of Sakula from Safran’s servers before it could be detected.
But this safety measure was too little, too late. When news of the hack reached the cybersecurity community, the community jumped to investigate.
One of the first companies to report on the hack was Crowdstrike, based in Austin, Texas.
The researcher assigned to the hacks was named Adam Kozy of the Asia-Pacific analysis team. He was a tall, bearded ex-FBI employee who speaks Mandarin, Japanese and Portuguese, and who enjoys parkour in his spare time.
Kozy linked the Sakula malware to the earlier Capstone Turbine attack. He knew it was Chinese and likely government-sponsored, but little else. In a blog post, he gave the group a name: Turbine Panda.
Like we’ve seen many, many times before, other cybersecurity companies would give this group their own names, making this exercise both confusing and goofy. Turbine Panda would also be called Advanced Persistent Threat Group 26, or WebMasters, or Black Vine, or Technetium. We’ll stick with Turbine Panda, cause that’s the title of this episode.
For Xu Yanjun, this was the first time his handiwork was exposed. He, Little Zha, and Chai Meng got a thorough chewing out from their department supervisor.
But the Crowdstrike posts didn’t stop them. Far from it. While the Safran angle was effectively a lost cause, plenty of other western companies were on their target list.
Up next was Honeywell. There, Little Zha worked one of his old contacts, an aerospace engineer named Arthur Gau.
Little Zha had tried to turn Arthur into an asset years earlier. Once, he’d brought Arthur and his mother on a Yangtze river cruise where they got to see its famed Middle Reaches. But when Little Zha tried to pay Arthur for classified company research, Arthur cut off all contact.
Over a decade later, Arthur was nearing retirement, and Little Zha reached out again. This time, he wanted Arthur to visit China to give presentations for his work—and also to give Turbine Panda an opportunity to bug his laptop with malware.
Such an invitation is a high honor to many Chinese technology experts living abroad—even if they’re not usually allowed to discuss the specifics of their work. Arthur was receptive, and he began making trips to Nanjing to speak at universities. He quickly became another of Turbine Panda’s valued assets.
Then in the spring of 2014, Turbine Panda invited a Chinese aerospace engineer living in Great Britain to speak at the Nanjing University of Aeronautics and Astronautics. This engineer—they’ve never been named—worked on both the Lockheed Martin F-35 fighter jet and Northrop Grumman E-2 tactical support plane.
After the engineer’s presentation, Little Zha and the pompadoured university official Chen Feng threw a banquet in the engineer’s honor—which was held at the same hotel where the engineer was staying. While Little Zha and Chen Feng were toasting their guest downstairs, Xu and some MSS tech guys were upstairs breaking into the engineer’s hotel room.
Inside, Xu located the engineer’s laptop. A tech opened it up and connected an external hard drive. The plan was to download the entire contents of the hard drive onto several hard drives. The tech frowned.
This is gonna take three hours.
That wasn’t good. Xu texted the news to Little Zha downstairs.
It’s too slow, Little Zha texted back. Speed it up.
Xu rolled his eyes. As if it was that easy.
Xu decided to quickly go through the contents of the engineer’s laptop and select the documents that were most likely to be sensitive. He couldn’t be sure they’d find everything, but it was the best they could do.
An hour went by. Downstairs, Little Zha was stalling as best he could. The banquet was done with dinner and dessert. The visiting engineer yawned.
This is all so nice, but the jetlag is killing me. I think it’s time to head to bed.
Little Zhang quickly fired off a text to Xu.
Are you done?
We need more time!
Little Zha turned to the engineer.
Nonsense. Let’s head to the bar for a nightcap.
I hate to be rude, but I’m quite exhausted. Maybe another time.
Little Zha fired off another text.
He’s coming upstairs!
Xu held his breath. Finally, the progress bar reached 100%. Xu and the techs quickly returned everything to the way it was and fled the room.
The mission was a success. Turbine Panda was making progress in its efforts to help the Commercial Aircraft Corporation of China build the C919.
But Turbine Panda was already exposed—and both the cybersecurity community and the American government were on its trail.
On top of that, the diplomatic situation between China and the US was evolving.
Act Two
Downtown Indianapolis, Indiana is home to the headquarters of the Anthem Corporation. It employs about 8,000 people around the state, and they provide health insurance for 80 million Americans nationwide.
If you happen to be from any other industrialized nation in the world, “Health insurance” is what Americans call the protection money they pay the mafia—I mean health insurance companies—to stay alive.
One day, in January 2015, an Anthem systems administrator was doing a routine check of Anthem’s server logs when they noticed something strange. Earlier, their own user account had queried an Anthem server that had access to sensitive customer information.
Only…the system administrator had done no such thing.
Their blood froze. They realized Anthem had been hacked.
The systems admin immediately informed their supervisor, who informed the FBI, which quickly learned that four other Anthem employees had also been hacked. Altogether, these five accounts were used to access and download information for 78 million of Anthem’s customers.
Thankfully, this didn’t include medical information. But it did include names, email addresses, physical addresses, birthdays, social security numbers, employment data, and even household income data. By the time Anthem’s IT people and the FBI got to the bottom of the hack, it was already several months too late.
Now, let’s jump ahead three months, to April 2015, and about 570 miles to the east, to Washington D.C. And specifically, to the Office of Personnel Management.
It’s basically the human resources department for the federal branch of the US government. Altogether, its computers house records for more than 20 million people, including federal employees, their family members, or even anyone who’d undergone a background check.
On April 15, 2015, an IT contractor for the OPM named Brendan Saulsbury was also combing though the server traffic when he discovered something disturbing—the OPM’s servers were communicating with a URL called “opmsecurity.org.” Problem was, no such URL existed. Not a legitimate one, anyway.
Brendan realized the implications. The OPM had already been hacked the year before. Brendan was part of the team that responded to it. Back then, Brendan and his team thought they’d kicked out the hackers with a system purge they called “the Big Bang.” They changed every employee’s password, created new admin accounts, and quarantined sections of the server that were infected.
But now, a year later, the hackers were back. Actually, they’d never left. Brendan would soon learn that the hackers had already created another entry point into the OPM in anticipation of a system purge.
It was too late to stop the hackers from stealing millions of federal employees’ records. This included basic identifying information, but also records of their service for the government, their careers, business ventures, familiar relationships, illegal drug use, alcohol abuse, criminal records, mental health status, travel records, and even a record of every foreign official they’d ever met with.
Now, what do the Anthem hack and the Office of Personnel Management hack have to do with each other? You guessed it, both were perpetuated by Chinese government hackers.
How do we know? Investigators examined the opmsecurity.org domain name. They discovered that it was registered to one “Steve Rogers,” aka Captain America’s alter ego. Soon, they found another dummy website registered to Tony Stark, aka Iron Man—and using superheroes as a cover identity is a hallmark of Chinese hackers.
Turbine Panda wasn’t involved in these hacks. The group responsible was another MSS hacking group called Deep Panda—but it used much of the same malware Turbine Panda did.
The Deep Panda hacks came just a few months after Turbine Panda bugged the aerospace engineer’s laptop. And the timing couldn’t have been more awkward. That’s because China’s President Xi Jinping was about to make his first state visit to the US since taking office.
For years, China had denied ever hacking the US. But with evidence mounting, those denials were no longer credible. The US was threatening to sanction China for its hacking.
President Xi certainly didn’t want that.
Xi Jinping was born in 1953 in Beijing. He’s the son of Mao Zedong’s former deputy prime minister, and he grew up in luxury.
But Xi’s father was ousted in a party purge in the 1960’s. His sister committed suicide. Xi was banished to a rural village and a life of hard labor. After years of toil, Xi finally got his first local political appointment. From there, he climbed the ladder rung by rung until he became China’s president in 2012.
Soon, he developed a cult of personality—like any good authoritarian. Since taking power, Xi has honored himself with books, cartoons, pop songs and dance routines.
In 2015, the government released a rap song calling him “Big Daddy Xi.”
SFX: the Big Daddy Xi song
Here’s a translation of some of the lyrics.
Big Daddy Xi, Big Daddy Xi, on every street people sing his praises!
Big Daddy Xi, Big Daddy Xi, every one of us loves him!
What an earworm.
President Xi is determined to guide China on a similar trajectory as his own life’s. One of his goals is to make China’s economy the most advanced in the world. American sanctions would slow that down.
So, on the eve of President Xi’s visit to Washington, China sent a diplomatic delegation to discuss cyberwarfare. Not only did the delegation admit for the first time that China had indeed been hacking the US, they crafted an agreement for Xi and Obama to sign.
On September 25, 2015, the two presidents stood together in the White House Rose Garden. Obama said:
Today, I can announce that our two countries have reached a common understanding on a way forward. We’ve agreed that neither the US nor the Chinese will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.
So, did China stop hacking the United States in 2015?
Yep! That’s the end of the episode!
SFX: Cue 2 seconds of Modem Mischief theme music
In reality, the answer is “Not even close.”
Because while Xi Jinping was making moves to improve relations with the US, domestically it was a different story. Like we said, one of Xi’s goals is to make China’s economy first in the world. In early 2015, Xi announced the “Made in China 2025” plan, a pledge to lessen China’s dependence on foreign technology over the next decade—including everything from aerospace to robotics to green energy.
And how better to do that than by stealing American technology? American observers called the “Made in China 2025” plan a “roadmap to theft.”
And President Xi just so happened to be personally overhauling his country’s cyberwarfare program, too. Early in his term, Xi declared that China’s cyberwarfare program was amateurish, relying on publicly available malware and hacking tools that were too easily detectable. He ordered his cyberwarfare units to develop their own proprietary hacking tools.
He also reorganized the program. Like we said previously, China runs its hacking programs through two organizations: the army and the Ministry of State Security. President Xi placed all army hacking units—like Unit 61398, which was responsible for the Titan Rain attacks back in part 1—under the purview of a new agency called the Strategic Support Force.
He also expanded the MSS’s hacking program, allowing it to create more and more hacking units, or to increase the funding for existing groups like Turbine Panda.
So, while Xi and Obama were publicly pledging not to hack each other, the reality on the ground was the opposite. Chinese hacks slowed, but never quite stopped.
Then Donald Trump was elected in November 2016, and the hacks picked back up again.
Months after Trump’s election, the hacking group Deep Panda struck again, hacking into the American credit rating bureau Equifax and stealing the personal information of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadians.
But data theft was just one variety of hacking China was doing. Turbine Panda had never stopped its activities, either.
Xu Yanjun and his cohort, including his boss Little Zha, the malware expert Chai Meng, and the pompadoured university official Chen Feng, continued to recruit Chinese technical experts living overseas—and specifically ones who worked at General Electric.
Their next target was Zheng Xiaoqing. He was a 52-year-old engineer who worked at GE Power in upstate New York, where he specialized in sealing techniques that protect power turbines. He was also a family man, and an avid supporter of his sons’ gymnastics team.
In 2016, Xu convinced Xiaoqing to make the first of several trips to China to deliver talks on his work. But the real purpose of these visits was to smuggle GE Power’s proprietary information to China. Xiaoqing did this by concealing files within digital photos of sunsets, a process called “steganography,” and then emailing them to himself.
And then, there was David Zheng, the engineer at GE Aviation in Cincinnati who specialized in lightweight jet engine parts. As we saw earlier, Chen Feng first contacted David in March 2017.
David gave his presentation in May 2017 and returned home to Cincinnati thinking that was the end of it. Only, of course it wasn’t.
A few months after his return, GE Aviation began conducting random computer security checks. This made David nervous. Would they find evidence of his trip to China?
In the meantime, Xu Yanjun, or as David knew him, Qu Hui, continued messaging him. He wanted David to make another trip to China—and to bring sensitive documents.
That was a step too far. Worse, if his employers found out, this could ruin him.
He didn’t respond to the email. He wanted it all to go away. But it was too late for that.
Finally, on a November morning in 2017, David stepped out of his Cincinnati town house, opened his umbrella, and made the short walk to his car.
It was raining, but not hard enough to ground any flights, David knew. He got into his car and drove to work.
He pulled into the front entrance of GE Aviation and flashed his ID badge. The security guard looked at it for a beat too long. Then she looked at David. She waved him through, but then immediately picked up the phone. What was that about?
David pulled into his parking space. Next to it was a car he didn’t recognize. He felt like he’d swallowed a stone.
He headed inside. As he arrived at his department, he found that his coworkers were all standing beside their desks. Along with them were some IT people, and a couple officers from GE Security. On a table, several hard disks were lined up.
What’s going on? David asked.
We’re conducting a computer security review. We need everyone’s hard disks.
David knew there was no stalling. Reluctantly, he unplugged his own hard disk and handed it over. Soon, the security officers returned and confiscated everyone’s laptops.
Without them there was little work anyone could do. So, it was almost a mercy when the security officers returned.
Mr. Zheng? Come with us please.
David got up and followed the security officers to an auditorium, where there was a table and three chairs. David sat across from the security officers.
We understand you went to China six months ago, is this correct?
Yes.
What was the purpose of this visit?
Personal. It was my college reunion. I was also visiting friends and family.
Did you deliver any presentations while you were there?
What do you mean?
The security officers shared a look.
The FBI would like to talk to you.
What? Why?
We’ll let them explain
They’re already here?
One of the officers left and returned with two FBI agents.
I’m Special Agent Bradley Hull, said one, who rocked a shaved head and a goatee.
Hull repeated the security officer’s questions. David gave the same answers.
But Hull pressed David on the details.
Last May, were you invited to give a presentation about your work at a Chinese technical university?
I don’t know what you’re talking about.
Sir, it’s a federal offense to lie to an FBI agent. Now, did you give a lecture at the Nanjing University of Aeronautics and Astronautics?
David Zheng had to make a choice. Should he deny it? Or should he tell the FBI everything he knew?
One thing was certain: David’s career was over.
Act Three
By the time Special Agent Hull confronted David Zheng, he’d already been on the case for months. It’s unclear how he discovered David’s trip to China, but not hard to imagine. The United States was well aware of China’s ongoing cyberwarfare against the US, and of China’s efforts to steal American trade secrets before that.
By 2017, reports by Crowdstrike and others alerted the FBI that another Chinese hacking group was trying to steal technology to power the C919 airliner.
Most likely, anyone involved in making component parts for the C919 was already on a watch list. So, David’s China trip would have raised red flags.
However it happened, after confronting David, Hull’s first move was to get a warrant to search the email addresses belonging to David’s contact, the man calling himself Qu Hui. His two addresses were both Gmail accounts, which meant they were under American jurisdiction.
Hull wasn’t prepared for what he found. The man’s real name was Xu Yanjun, an intelligence officer with the Ministry of State Security. On top of that, Xu had linked his email accounts to his smartphone, where he kept extensive notes about his spying operations, as well as his personal life—not a great move if you’re a spy.
Hull pored over the contents of the spy’s journals. Ever since Crowdstrike began publishing evidence linking the Chinese government to Turbine Panda back in 2012, Xu’s reputation had diminished in the eyes of the Ministry of State Security, and especially those of his supervisor, Little Zha. Recently, Little Zha had gone ballistic on Xu at a dinner, calling him “poor at management.” Lately, Xu had enrolled at a local university to take classes in aerospace engineering as a fallback option.
Xu’s personal life was deteriorating, too. He’d made bad investments in the stock market. He’d begun an extramarital affair with a woman, but she was pulling away.
Hull read Xu’s frantic messages.
Are you going to ghost me? He wrote his paramour.
Don’t you work for the Ministry of State Security? She replied. Isn’t it easy to find me?
This was in late 2017 and early 2018. It was only a few years earlier that the American government arrested and prosecuted its first Chinese computer criminal, Xiang Li, the owner of CRACK99. That prosecution was difficult enough. Nabbing an intelligence officer was an order of magnitude more difficult.
But Hull sensed he had enough here to finally pull it off.
A few weeks after his meeting with David Zheng at GE Aviation, Hull called David on his cell.
At the moment, David was fiddling with a neon sign resting on his dashboard. It was supposed to display the name of a well-known ridesharing app, but right now the piece of crap wasn’t working.
Since his meeting with the FBI, he’d been placed on administrative leave from GE Aviation. David had no illusions about returning to work. Even if he was cleared of all charges, his judgment was in question.
He’d never find high-level turbine work again.
He’d spent his entire life learning how to be an aerospace engineer. How the hell was he supposed to pay his rent now?
When he saw the number calling him, he groaned and picked up.
I already told you everything.
And we appreciate that, Mr. Zheng. But we think you could be of further help to us. The man named Qu Hui is actually named Xu Yanjun
David winced at the American’s attempt to pronounce the Mandarin.
He’s an intelligence officer.
This made David’s blood boil. Yes, he’d broken the rules–but now he was learning his native country had guided him into doing it? His homeland had duped him?
What do you need me to do?
With that, David was in.
With Special Agent Hull’s guidance, David resumed his correspondence with Xu Yanjun.
Xu was elated–and given how much his personal and professional lives were deteriorating, he surely needed the win.
Xu invited David to come back to China, but this time he upped the ante: he wanted David to bring classified designs. And He’d pay David for the trouble.
Already on leave, David knew there was no way he could obtain such designs from his workplace.
Hull told him to string Xu along. Hull knew he could never arrest Xu Yanjun so long as he was in China. So, he needed to lure him to a country where he could arrest him.
As we mentioned, GE Aviation had a business relationship with Safran in France. But Hull knew France was unlikely to extradite a Chinese national to the US. A better bet would be a neighboring country like Belgium, the Netherlands, or Germany. Belgium was deemed the most agreeable.
Xu agreed to meet David a Pain Quotidien in Brussels on Easter Sunday, 2018. Xu arrived at the café two hours early and texted David.
Are you here?
Be right there. Sit tight.
But really David was in a hotel room nearby, along with Special Agent Hull. On Hull’s order, officers of the Belgium Federal Police swarmed the café, grabbed Xu, and took him into custody.
Xu Yanjun became the first Chinese intelligence officer ever convicted in an American court for espionage. In 2022, he was sentenced to 20 years in American prison.
The investigation into Xu Yanjun also uncovered several Chinese citizens whom the intelligence officer recruited for his operation. The Honeywell engineer Arthur Gau pleaded guilty to two counts of mishandling controlled information. The GE Power engineer and gymnastics enthusiast Xiaoqing Zheng got two years in prison for giving technology to Xu Yanjun. Xu’s indictment also named several of his Turbine Panda colleagues, like Little Zha Rong and Chai Meng.
As for David, the ex-GE Aviation engineer wasn’t prosecuted, thanks to his cooperation. But he’s never been able to get another job in aerospace composites, and today he works in an unrelated field. Like Xu Yanjun, he was a small-town kid who made something of himself despite growing up poor. But the Turbine Panda operation brought it all crashing down.
The Turbine Panda indictments were undoubtedly a banner day for the American Justice Department.
And yet…Turbine Panda wasn’t a failure. The indictment alleged that Turbine Panda compromised 13 different aerospace companies in service of building the C919.
The first test flight for the COMAC C919 took place in May 2017, at the same time David Zheng was giving his first presentation in Nanjing. This prototype used technology stolen from American, British, French, and other aerospace companies.
On top of that, not only did Turbine Panda continue operations in the years after the arrest of Xu Yanjun, the cybersecurity community discovered more and more Chinese hacking groups. They gave them names like Emissary Panda, Nightshade Panda, Sneaky Panda, Gothic Panda, Stone Panda, Krytponite Panda, Aurora Panda, and Anchor Panda. And that doesn’t even include still-active legacy groups like Comment Panda or Wicked Panda.
America wasn’t just facing one group of Chinese hackers. It was facing an army, one that multiplies much faster than the pandas that give them their namesake. And together, this cyber panda army is unstoppable.
Act Four
January 28, 2023 was a few days after the start of the Lunar New Year. This year is the year of the Rabbit, a prosperous sign.
On this day, Eastern China Airlines’ flight MU 7817 took off from Shanghai's Hongqiao International Airport and landed in the city of Nanchang, about an hour away.
It was a test flight. Onboard, the crew went through the entire flight routine including a beverage and a service for no passengers . MU7817 made the return trip, then made the circuit again before calling it a day.
MU 7817 is the first COMAC C919 passenger jet that’s scheduled to be operational this year. And it wouldn’t have been possible without Turbine Panda’s years of industrial espionage targeting American and international companies.
Of course, the COMAC C919 is just one example. There’s the J-31 Stealth Fighter Jet, which is based on Lockheed Martin’s F-35. Or the Tian Ying unmanned stealth drone, a near copy of Northrop Grumman’s X-47B.
And those are just military examples. Over the previous three episodes, we detailed how groups like Comment Panda, aka Unit 61398, or Wicked Panda spent years breaking into American and international companies of every variety, from telecommunications to manufacturing to healthcare to green technology to AI to even media and video games.
Like the Chinese military, Chinese corporations have eagerly repurposed this stolen technology to create their own versions.
Xi Jinping introduced his most ambitious project in 2015, the Digital Silk Road. Named after the medieval trade route that connected Europe, the Middle East, and Asia, it’s an initiative for Chinese companies to build digital infrastructure in countries around the world.
This includes fiber optic cables, international trunk passageways, mobile structures, e-commerce links, and even satellite GPS systems.
Many Chinese companies participate in this initiative. The state-owned China Mobile, the world’s largest telecommunications company, built fiber optic cables in Myanmar, Nepal and Kyrgyzstan.
Another is Huaiwei—it’s the Chinese telecommunications company partly built on technology stolen from the Canadian Nortel company, which was obtained by Chinese military hackers. Huaiwei built cables linking Pakistan to Kenya via Djibouti.
China’s digital empire continues to grow, and its foundation is built on technology stolen from American and other international companies. US officials estimate that China and its hackers steals up to $600 billion annually. It’s the greatest transfer of wealth in world history.
With this wealth, China has made good on President Xi Jinping’s goal to become self-reliant on its own technology by 2025. It’s practically there now.
And Qiao Liang couldn’t be happier.
Remember him? He’s the Chinese Air Force colonel who writes military thrillers in his spare time, where China always triumphs over the west.
He’s also one of the two colonels who wrote the book Unrestricted Warfare, which among other things encouraged the Chinese government to use hackers of all stripes to overcome China’s technological disadvantage.
After it was published, Qiao was promoted to general and retired with full honors. These days, General Qiao is a fixture on Chinese news shows, where he analyzes current events from a military perspective.
In May 2020, he gave a televised discussion titled “America invented the Internet, but time belongs to China.”
In it, he outlines how China has caught up to and even surpassed the United States in economic, military, and technological areas since Unrestricted Warfare was published.
The fall of the United States is inevitable in history, he said. A grand era is arriving. This great era isn’t brought on by the rise of China, but by the rise of American technology. The Internet is American technology. But what disappoints Americans is that they aren’t used to the Internet they invented.
China’s lack of interest in privacy, and our ignorance and disdain of personal rights, made us compatible with certain Internet attributes. That’s why China’s development in this area is very fast.
The Internet, and specifically its hackers, has allowed China to build everything from a national high speed rail system to a state of the art surveillance system. It’s advanced China’s military and its economy, and it’s provided many with an avenue to crime—just like it does everywhere else.
Most of all, the Internet, and hacking, have given China a means to achieve its goal, to become the world’s top economic power. If things continue as they are, that should happen by 2050.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon or as a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka He’s So Manly He Still Sleeps With a Stuffed Panda. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!