Chinese Hackers Breach US Aerospace Supplier via Default Credentials

In an interview with The Register, John Dwyer, Director of Security Research at Binary Defense, disclosed details of a cyberattack on a major manufacturer of components for the aerospace industry and other critical sectors. Hackers, allegedly linked to the Chinese government, gained access to the U.S. company’s network by exploiting default administrator credentials on an IBM AIX server.

The incident began in March when attackers compromised one of the victim’s three unmanaged AIX servers. For four months, they remained undetected within the manufacturer’s IT infrastructure, mapping the network in search of additional targets. This case serves as a cautionary tale for organizations harboring forgotten or unmanaged devices within their networks. While most of the infrastructure may be protected by modern threat detection systems, outdated services become ideal entry points for adversaries.

Although Dwyer did not name the company, he revealed that it produces components for both governmental and private aerospace organizations, as well as the oil and gas sector. The attack is attributed to an unnamed group from the People’s Republic of China, whose apparent goal was industrial espionage and the theft of blueprints.

It is worth noting that earlier this year, U.S. federal authorities issued multiple warnings regarding Chinese hacker groups, including APT40 and Volt Typhoon. The latter has been accused of infiltrating American networks in preparation for destructive cyberattacks.

After detecting the presence of Chinese agents in their network in August, the manufacturer notified local and federal law enforcement. The company also collaborated with government cybersecurity experts to trace the attack’s origin and devise mitigation strategies. Binary Defense was brought in to investigate the breach.

Before the hackers were discovered and expelled from the network, they managed to upload a web shell and establish persistent access. As a result, they gained full remote control over the IT infrastructure, creating ideal conditions for intellectual property theft and supply chain manipulation.

John Dwyer highlighted the severity of the situation: “If a compromised component enters the supply chain and is used in manufacturing equipment or vehicles, the end consumer will face the consequences when that component fails or malfunctions.” He further noted that hostile nations are acutely aware of this vulnerability, and attacks are increasingly shifting left along the supply chain, meaning interference occurs at progressively earlier stages of the manufacturing process, affecting more victims and embedding deeper into systems.

According to Binary Defense, the victim’s three AIX development environment servers were connected to the internet without any protection. At least one of the servers ran an Apache Axis admin portal with default credentials. The server was incompatible with the organization’s security monitoring tools, partially explaining why it took network security specialists several months to detect malicious activity on the company’s systems.

Once the server was compromised, the attackers installed the AxisInvoker web shell, allowing them to remotely control the device, collect Kerberos data, and add SSH keys for secure external access. They then gathered extensive information about the network configuration, as well as data accessible through LDAP and shared SMB resources.

Further malware, including Cobalt Strike, web shells, and a fast reverse proxy (FRP) for tunneling into the attackers’ infrastructure, was deployed. Interestingly, the hackers seemed unfamiliar with AIX, as they attempted to execute Linux-standard programs.

The attackers then shifted their focus to the firm’s Microsoft Windows environment. They conducted NTLM relay attacks to enumerate available Windows users and impersonate an administrative account.

The attackers attempted to dump the LSASS process memory on a Windows server—a common technique for harvesting credentials from the system. This attempt was detected and blocked, after which the hackers were expelled from the network, seemingly before they could access anything further.

According to Dwyer, shortly after the attackers were removed from the environment, a second attack attributed to the same group occurred. Within 24 hours, someone attempted to breach the system using a brute-force attack against credentials. Binary Defense plans to publish a report on the cyber intrusion and the lessons learned in the near future.