China says a foreign spy agency hacked its airlines, stole passenger records

Chinese officials said last week that a foreign intelligence agency hacked several of its airlines in 2020 and stole passenger travel records.

The hacking campaign was disclosed last week by officials from the Ministry of State Security, China's civilian intelligence, security, and secret police agency.

The hacking campaign was discovered after one of China's airlines reported a security breach to MSS officials in January 2020.

Investigators said they linked the hacks to a custom trojan that the attackers used to exfiltrate passenger details and other data from this first target. A subsequent investigation found other airlines compromised in the same way.

"After an in-depth investigation, it was confirmed that the attacks were carefully planned and secretly carried out by an overseas spy intelligence agency," the MSS said in a press release distributed via state news channels last Monday.

The MSS did not formally attribute the attack to any foreign agency or country.

In March 2020, two Chinese security firms, Qihoo 360 and QiAnxin published reports accusing the US Central Intelligence Agency of hacking Chinese organizations, including airlines, but the reports referenced historical activities between September 2008 and June 2019.

China rarely reveals details about foreign cyber-attacks

The press release in itself is a rarity, as the Chinese government almost never reveals attacks carried out by foreign state-sponsored hackers.

This is in direct opposition to how western countries and private cyber-security vendors handle such incidents. As soon as a major security breach happens, western security vendors rush to investigate and publish public blog posts about attacks, with government officials making a formal statement and attribution weeks or months later.

But when it comes to the Middle Kingdom, things are exactly the opposite.

Following the two reports from Qihoo 360 and QiAnxin in March 2020, this reporter reached out to several Chinese security firms and independent security researchers to inquire about how the Chinese state handles foreign cyber-espionage attacks and the subsequent investigation and attribution.

Several sources, including representatives from two major Chinese cybersecurity firms, which we will not name here for obvious reasons, have said that Chinese security firms regularly detect attacks from foreign state actors, including the US.

However, all reports are sent to the Chinese government first and foremost, as part of the local regulatory process, which is the one who decides if news of a breach can be made public. When a western actor with US and NATO links is suspected, this almost never happens.

Sources said they received no feedback on why most of their reports have not been made public nor used to counter the wave hacks attributed to Chinese-linked actors made by western governments and security firms.