X-Industry

Summary

On 10 October 2018, the FBI announced the arrest of Xu Yanjun, a Chinese intelligent agent who had been targeting an employee of GE Aviation to acquire trade secrets on the company’s jet engines.  The target employee had cooperated with the FBI during this operation, and when Xu arranged a meeting with the employee in Europe in April 2018, Xu was arrested.  He was extradited from Belgium to the United States in October and charged with economic espionage.Details in the indictment issued in this case provided a textbook example of how the Chinese target foreign engineers and extract proprietary technical data from them.  The patient steps used by the Chinese agent in this case included the following:

Contact was made from an innocent Chinese entity, a university, that expressed interest in the target’s work from an academic standpoint.

  • The target was invited to travel to China to talk about his and his company’s work. While there, he was introduced to his case officer who was using a cover identity.
  • The case officer followed up later by expressing interest in more details and holding out the possibility of another visit to China. He talked the target into finding more information and instructed him on the means of packaging it and transmitting it.
  • The case officer continued to expand the list of requirements, digging deeper into the company’s technologies. He eventually invited the target to a meeting in a third country, asking the target to bring his company computer and hand off more technical data.

US corporations can help defend themselves against Chinese collection by keeping their employees informed about the approaches the Chinese typically use and staying aware of any unusual employee travel.

A Case of Economic Espionage

The US Department of Justice charged Xu Yanjun on 10 October 2018 with conspiring to steal trade secrets from major US aviation and aerospace companies.  Xu was identified in the charges as an agent of China’s Ministry of State Security (MSS), a rough equivalent of the US CIA.  The case centered on Xu’s targeting of an employee of GE Aviation, a top jet engine manufacturer for US military aircraft based near Cincinnati, Ohio. 

Xu had orchestrated the invitation of this unnamed engineer to China to give a briefing on work that GE Aviation was doing of jet engine blade design.  After the engineer flew to China in June 2017 and gave the briefing, Xu maintained contact and solicited more information on GE Aviation work.  He had invited the employee for a second visit to China, and in preparation for that the employee had transmitted more propriety GE Aviation data to China.

However, the FBI was apparently brought in to the case early on.  Xu Yanjun set up a meeting with the engineer in Europe that would involve the hand-off of more sensitive information.  The FBI was aware, and when Xu flew to Belgium for the meeting, he was arrested on a US warrant with the assistance of Belgian authorities.  He was extradited to the United States in October and charges with the theft of trade secrets on 10 October 2018. 

This case represents the first time that the US has successfully extradited an accused Chinese spy to the United States.[1]  The extradition was reportedly the result of cooperation among FBI’s Cincinnati Division, the FBI Legal Attaché’s Office in Brussels, and Belgian law enforcement.[2]  The Justice Department also praised the cooperation of GE Aviation with the FBI, which officials stated had been going on for more than a year.[3]

China’s Foreign Ministry spokesman Lu Kang dismissed the allegations and called on the US to deal with the matter "fairly in accordance with law.”  Lu told reporters at a daily news briefing that "the US accusation is something made out of thin air."[4]

Xu is in a federal prison in Milan, Michigan.  He pleaded not guilty in federal court in Cincinnati on 12 October 2018.  He was denied bail in a subsequent hearing because he had “provided a background that is in contrast to the indictment.”  He is facing up to 25 years in prison if convicted.[5]

The Charges

The indictment providing details of the federal charges against Xu Yanjun was made public at the time he was charged.  In this 16-page document, the defendant was identified as “YANJUN XU, aka Xu Yanjun, aka Qu Hui, aka Zhang Hui (‘XU’),” a citizen of the People's Republic of China.  Although the indictment did not show how the FBI knew this, Xu was identified as “a Deputy Division Director, Sixth Bureau of Jiangsu Province, Ministry of State Security (MSS).” 

The indictment stated that Xu’s duties as an MSS agent were the collection of technical information and trade secrets from aviation and aerospace companies in the United States and Europe.  In doing this, Xu used the aliases listed above and a cover identity as representative of a professional organization called the Jiangsu Science and Technology Promotion Association, or JAST.

In his work, Xu was also identified as interacting with the Nanjing University of Aeronautics and Astronautics (NUAA), and particularly with “Unindicted co-conspirator CF," a Deputy Director at NUAA.

The indictment charged that Xu Yanjun had been working since 2013 with co-conspirator CF “to steal and without authorization obtain a trade secret, knowing that the offense will benefit a foreign government, in violation of Title 18, United States Code, Section 1831.”  The text referred to attempts to target other aviation firms but only gave details on the work done against the GE Aviation employee.[6]

The Indictment as Espionage Model

This document is instructive in and of itself in that the details from the investigation read something like an espionage instruction manual, showing how to identify, co-opt, and manage information gathering from a foreign target.  The details contained in the indictment were obviously included to make a compelling case about the crimes committed for the prosecution of the defendant.  They documented the planning by the MSS agents involved, cover identities used, the means of contacting the target, his invitation and visit to China, and continuing contact including plans to get the target to turn over more and more information.  As such, they also make an excellent illustration of contemporary Chinese espionage methods, particularly those used to gather high-tech data for use by China.

The following narrative, taken from the indictment, provides details of Xu Yanjun’s operation to target the GE Aviation employee and use him to obtain sensitive technical information on GE Aviation engine manufacturing.  The indictment text given below is largely a full-length quote but has been lightly edited for clarity.  The “unindicted co-conspirator CF” cooperating with Xu is referred to below as “the NUAA representative.”  In the indictment, the target company was called “Victim Company A” but appears below as “GE Aviation” since it was identified from other sources.  The unnamed GE Aviation employee is called “Employee 1” in the indictment but just “Employee” below.  The text has also been broken into sections with headers for clarity.  The following, then, is all language from the indictment.

Methods and Means

  • Defendant XU and others, including other MSS officers and the NUAA representative:
  •  Worked together to identify certain aviation technology that was desired by the Chinese government and associated aviation entities and universities.
  •  Actively selected and targeted companies that are leaders in the field of aviation technology in the United States and around the world.
  •  Identified engineers and experts (co-optees) who were employed by non-Chinese aviation companies and who possessed technical expertise in the desired aviation fields.
  •  Concealed their true identities and nature of employment, used aliases and purported to be associated with various Chinese universities, organizations and associations.
  •  Communicated with these co-optees and with each other through various messaging applications, often using their aliases and other types of false identifying information while doing so.
  • Solicited, recruited, and paid such experts to provide technical information regarding aviation technology, including trade secret information.
  • Targeted and recruited co-optees at times to travel to China under the false belief that the expert was traveling merely for “an exchange" of ideas and/or to give a presentation at a university, such as NUAA. In reality, the presentations were for the benefit of the Chinese government.
  • Paid the co-optees stipends and would arrange travel for and pay expenses associated with the travel to ChinAnalyzed the stolen technological information with experts and determined what additional technology was needed.
  • Provided such stolen trade secret information to the Chinese government, as well as to associated academic and commercial aviation entities, to the detriment of the owner of the trade secrets.

Invitation to China

Beginning in March 2017, the NUAA representative began corresponding via email with an individual ["Employee''] employed by GE Aviation.  The NUAA representative solicited Employee to come to NUAA in China for an “exchange" based on Employee's engineering experience at GE Aviation.  NUAA, through the NUAA representative, offered to pay for Employee's travel expenses.

On 10 May 2017, the NUAA representative emailed Employee that the “Institute of Energy and Power” had proposed that Employee give a report on GE Aviation's signature material design and manufacturing technology.  The NUAA representative wanted Employee to focus on highly-technical topics, including the latest developments in the application of GE Aviation's signature material used in aero-engines, as well as engine structure design analysis technology and manufacturing technology development.

On 15 May 2017, in preparation for the trip to China to present at NUAA, a message was sent to Employee from one of XU’s email accounts, but the email was signed using the name of the NUAA representative.

Visit to China

On 2 June 2017, at the invitation and direction of XU and the NUAA representative, Employee gave a presentation at NUAA in China which included details regarding engines that were designed and produced by GE Aviation.  XU had meals with Employee both before and after the NUAA presentation.  XU and others caused Employee to be paid S3,500 in US currency for the presentation and as reimbursement for expenses incurred during Employee's visit to Nanjing (e.g., meals and hotel expenses).

While Employee was in China, the NUAA representative introduced Employee to XU.  During this meeting, XU introduced himself using his alias, Qu Hui, and claimed to be from JAST in China.  XU gave a business card to Employee that contained his alias, "Qu Hui,'' and contact information associated with JAST.

Follow-Up Communication

After the trip to China, XU continued to communicate with Employee.  In fact, XU invited Employee to return to NUAA the following year.  On 21 November 2017, the NUAA representative expressed an interest in having Employee travel again to China to exchange ideas and instruct again at NUAA.  The NUAA representative informed Employee that he had spoken with Qu Hui (XU) from JAST and that Qu Hui would be able to help with travel expenses and handle the details of the "exchange."

On or about 8 January 2018, XU wrote to Employee, "I will touch base with the scientific research department here [at JAST] to see what technology is desired and I will let you know what to prepare.  For your end, please prepare the plane ticket and date as soon as possible."

New Information Requirements

On or about 23 January 2018, XU wrote to Employee, "Okay. Try your best to collect and we can talk by then. Domestically, they are more focused on the system code."  XU later elaborated that the information he wanted pertained to “system specification and design process, which is the application of research data to engine production.  XU provided an email address for Employee to use to send the requested information.  When Employee informed XU that the email may be blocked if Employee used the company computer, XU responded, "It might be inappropriate to send directly from the company, right?"

Transmission One

On or about 3 February 2018, XU caused Employee to send an excerpt of a presentation from GE Aviation pertaining to "containment analysis" for a fan blade encasement. The document contained a label warning that the presentation contained proprietary information from GE Aviation.  XU then wrote to Employee and acknowledged receiving the document from GE Aviation pertaining to the "containment analysis."

Invitation and New Requirements

XU stated that he wanted Employee to spend time talking with the experts in China for a "more precise connection" and proposed a meeting date.  In the same message, XU sent Employee a list of technical topics pertaining to composite materials in the manufacture of fan blades and fan blade encasements that XU's organization was interested in, after being sent information that contained GE Aviation's proprietary warning label. Specifically, XU wrote, the “attached file is some domestic requirements that I know of.  Can you take a look and let me know if you are familiar with those?"  The attached list stated the following:

  • Regarding the current development situation and future development direction of foreign countries’ structural material for fan motor blades made from composite materials: (a question followed).
  • Regarding the design criteria for the foreign countries’ composite material rotor fan blade, stator fan blade, and fan casing: (a list of questions followed).

When Employee directly advised XU that some of the posed questions involved GE Aviation's commercial secrets, XU replied they would discuss it when they met in person.

On or about 5 February 2018, XU asked Employee to create and sort a directory of the files on Employee's computer relating to the files of GE Aviation.  XU asked Employee to send a copy of the file directory for Employee 's company-issued computer.  XU sent specific directions for how Employee should sort and save such a directory. 

Transmission Two

On or about 14 February 2018, XU caused Employee to send a computer file directory from Employee's company-issued computer to XU.  On 28 February 2018, XU spoke with Employee by telephone.  During the phone call, XU referred to the file directory that Employee sent at XU's request.  XU told Employee that "they" had looked at it and it was “pretty good stuff."

Planned Meeting in Europe

In February, XU also began discussing with Employee the possibility of meeting in Europe during one of Employee's business trips.  On 28 February 2018, XU asked if Employee would be able to bring the transmitted data with Employee when Employee traveled to Europe for a meeting.  XU further stated, "the computer you will bring along is the company computer, right?"  XU also asked if the material Employee intended to bring could be exported out of the computer.  When Employee informed XU that it could be exported onto a portable hard drive, XU replied. "Good, good, good."  XU asked, “So, if possible, we will look over the stuff.  Can we do that?" After Employee agreed to XU's request, XU stated, "Do you understand?  Carry the stuff along."

XU also told Employee that what Employee had sent so far was “good enough."  XU continued: "If we need something new later, we can talk about that in person when we meet.  We really don 't need to rush to do everything in one time, because, if we are going to do business together, this won't be the last time, right?"

On 4 March 2018, Employee informed XU that some of the documents identified on the company directory were generated from a specific software and, as a result, some documents could only be viewed and backed up when connected to GE Aviation's network.  In response, XU asked, "Does that mean I will not be able to view these documents after I bring them back?"  Employee replied that Employee did not know, because Employee had never tried to open the files while in China.

On 5 March 2018, XU sent Employee a message asking, “Regarding the document directory you sent last time, is it possible to dump it to a portable hard drive or USB drive from work computer in advance?"  On 10 March 2018, XU sent Employee a message stating, "Since there's still time, download more data and bring them back. Anything design related would work."

On or about 1 April 2018, XU traveled to Belgium to meet Employee for the purpose of discussing and receiving the sensitive information he had requested.

[At this point, when Xu Yanjun is arrested in Belgium, the narrative ends.]

CONCLUSION

The basic elements of economic espionage tradecraft, as practiced by the Chinese, all appear in the indictment text.  They could be summarized as follows:

  • Identify requirements for the types of foreign technology to acquire.
  • Identify a specific corporation within the industry that works on the technologies needed.
  • Identify an individual target within that corporation with knowledge and access who may be convinced to cooperate.
  • Make contact from an innocent Chinese entity such as a university, and express interest in the target’s work from an academic standpoint.
  • Invite the target to travel to China to talk about his and his company’s work.
  • Host him, be social with him, and pay him.
  • Introduce him to his case officer who is using a cover identity (in this case, Xu Yanjun).
  • Follow up by expressing interest in more details, and hold out the possibility of another visit.
  • Talk the target into finding more information, and instruct him on the means of packaging it and transmitting it.
  • Continue to expand the list of requirements, digging deeper into the company’s technologies.
  • Invite the target to a meeting in a third country that would include the physical hand-off of more technical data.
  • Execute that follow-up meeting (although in this case that meeting ended with an arrest of the case officer).

The weakness of this approach in the GE Aviation case appears to be that the target began cooperating with the FBI at an early stage, so that Xu Yanjun was trapped when he left his country to make that last meeting.  Nevertheless, this kind of approach likely works often enough that China will continue to target and acquire foreign technology data by this same means.  US corporations can protect themselves in part by understanding the ways in which Chinese agents may approach employees and then work to gradually extract corporate secrets from the targets while maintaining the façade of academic interest.

IR_18_305_ CN Economic Espionage Tradecraft 181031_FINAL.pdf

Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Prepared:      Silkworm
Reviewed:     B. Schenkelberg
Approved:     J. McKee

[1] www.telegraph.co.uk/news/2018/10/11/china-says-us-fabricated-spy-case-thin-air.

[2] www.scmp.com/news/china/politics/article/2169447/us-court-keeping-accused-chinese-spy-

   jailed-false-alias-raises.

[3] www.scmp.com/news/china/politics/article/2167973/chinese-spy-charged-stealing-us-

   aviation-secrets-and-extradited.

[4] www.cbc.ca/news/world/china-response-spy-allegation-ohio-1.4858915.

[5] www.scmp.com/news/china/politics/article/2169447/us-court-keeping-accused-chinese-spy-

   jailed-false-alias-raises.

[6] www.justice.gov/opa/pr/chinese-intelligence-officer-charged-economic-espionage-involving-

   theft-trade-secrets-leading.

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance