
Airbus hit by series of cyber attacks on suppliers - keydutch
https://www.france24.com/en/20190926-airbus-hit-by-series-of-cyber-attacks-on-suppliers
======
roymurdock
Other comments here incorrectly pointing out that Boeing and Airbus don't
manufacture in China - they do. And why wouldn't they, it's obviously much
cheaper to manufacture there given material and labor costs. Obviously they
don't manufacture highly sensitive military aircraft in China, but commercial
aircraft, sure why not.

What they don't do is the design, testing, and certification in China. This is
the real IP - not the materials or the assembly techniques, but how to
navigate the regulatory landscape of the FAA and the EASA in extremely complex
hardware/software integrated systems. The article mentions certification
documents/evidence as a primary target.

The funny thing in all this is that passengers inherently trust the FAA and
EASA operated system and inherently do not trust a Chinese-owned,
manufactured, and regulated system for commercial aircraft. When really this
breach was all about the money - Chinese companies want to get in on Boeing
and Airbus' market.

I don't have a dog in this fight, but I will say that Boeing isn't doing
itself any favors with it's cost cutting efforts on the 737 MAX, and that if
it wants to keep consumers trust in its planes over the perception of
"inferior" foreign competition, it needs to work much more closely with the
FAA to ensure safety is the primary motivating factor on new designs and does
not get overriden by fuel efficiency.

~~~
mc32
Russia has expertise building airliners. Wonder why manufacturers never took
to producing there for cheap labor? My guess is China leveraged their market
potential to entice cos to take some of their mfg to China.

~~~
kevin_thibedeau
Russian industry was taken over by the mafia. That is much less tenable than
the situation with China.

~~~
eternalban
[http://www.softpanorama.org/Skeptics/Pseudoscience/harvard_m...](http://www.softpanorama.org/Skeptics/Pseudoscience/harvard_mafia.shtml)

Somehow I sense you did not intend irony.

[main stream version: [https://www.thenation.com/article/harvard-boys-do-
russia/](https://www.thenation.com/article/harvard-boys-do-russia/)]

------
zelon88
> "Globally recognized standards, such as ISO 27001, 27701 and 9001, can
> definitely ensure a baseline of security, privacy and quality assurance amid
> suppliers. One should, however, bear in mind that they are no silver bullet
> and some additional monitoring of suppliers handling critical business data
> is a requisite.”

This is misleading.

ISO standards dictate that a company should have certain processes in place.
Like quality assurance, customer satisfaction, continuous improvement, ect.
They do _not_ specify individual processes or procedures to the company. They
just lay out which structures should exist in an ISO compliant company. It is
up to the company to develop processes and procedures that fulfill those
structures.

The specific standards that _are_ a "silver bullet" (as the author puts it)
are NIST 800-171 "DFARS", ITAR, AS9100, NADCAP, and other smaller (yet equally
significant) manufacturer-specific specifications that get flowed down the
supply-chain on an as-needed basis.

So there is no ambiguity. If a supplier does business with a diverse enough
client base in aerospace they will almost certainly have overlapping systems
in place to protect against these things. Without pretty much all of the
specifications I listed above, a supplier would not legally limited in what
they are allowed to possess and produce.

~~~
dmix
Do companies with ISO certifications ever get reviewed after-the-fact? Or do
you just have to check the right checkboxes during an initial review process?

~~~
zelon88
I'm pretty sure ISO 9001 companies are audited every 4 years at their own
expense.

Basically an auditor comes and quizzes you on your own processes. You must
show that you have processes which meet ISO criteria, and that you religiously
follow those processes.

Basically you have a lot of freedom to develop your business, just be sure you
adhere to whatever you put into writing.

~~~
thombat
Back in the day of Total Quality Management and ISO9002 the software company I
worked for decided to get itself certified. Problem was, nobody had a clue how
to quickly describe the business of creating software as a set of processes,
let alone apply them in measurable ways under the beady gaze of an auditor. So
with evil inspiration it was decreed that the software division had no
processes at all. The customers could rest assured that the Accounts and
Marketing departments were fully ISO9002 compliant - as for the actual product
they were buying? spun out of desperate sweat and divine revelations so far as
they could tell.

But this didn't entirely get the software division off the hook. We still had
to be able to show an auditor that we knew our processes were excluded. So
there was a special folder containing just one functional page besides the
meta-bumf to support it, and it read (in effect) "THE ACTIVITIES OF THE
SOFTWARE DEPT ARE EXCLUDED FROM ISO9002 PROCESSES". And we were all trained to
be able to produce it upon demand.

We passed the audit. Our letterhead paper gained the magical ISO9002 seal of
approval. The administrator who had championed the long and expensive business
sprung from its success to a much larger company. In her absence the process
documentation for the rest of the company quietly withered and when the
follow-up audit came due we quietly neglected to apply for it. The letterhead
paper was reprinted with a snazzier logo and no seal of approval. We got back
to work, quietly apprehending the next big thing.

~~~
zelon88
That is a great story!

I've seen companies pack trunks of cars with unclaimed scrap. Buy a 55'
trailer with cash, fill it with stuff, then claim it belongs to the neighbors.
Load material onto 30' racks and send the forklift operators home.

It's almost better that your company committed to ISO to kinda get organized
and then let it slide afterwards. I'd almost say it's worth it in a medium
sized company every 10 years just to stay accountable and organized.

------
chvid
How does one know that a particular attack is "state-sponsored" or originates
from a particular country? Exactly what does it mean to be "state-sponsored"?
And who provides this analysis?

~~~
mywittyname
You look at the the target and analyze the methods used in the attack to make
that determination. For example, a zero-day exploit involving expensive
equipment screams state-sponsored. Criminal enterprises wouldn't waste their
money and resources analyzing and attacking Juicero machines in an embassy.

Also, the same tools and techniques get recycled, so you can use clues from
previous attacks to tie together a motive.

> Exactly what does it mean to be "state-sponsored"?

It means an attack was either performed by a foreign agency or by a group
getting paid to act on their behalf.

> And who provides this analysis?

Government agencies and private companies provide these types of analysis
services.

------
tempguy9999
A question I've always wondered, and relevant here. If this is inter-company
(and probably intra-company) communication, why don't these companies manually
exchange one-time pads and use them? It's surely not hard for a courier to
carry literally terabytes of OTP, and report if it was taken off them at any
point.

I was thinking of tape or HD, but now you an have the courier carry a terabyte
of OTP in a few USB sticks.

~~~
munificent
Let's say you do that:

1\. Send giant HD of OTP bits to other office.

2\. Everyone at that office who needs to communicate, so you make those bits
accessible on the internal network so various machines can get to it.

3\. Now a hacker that accesses the network can get to your OTP bits.

At that point, you're no better than using some other security mechanism.

~~~
tempguy9999
Oh FFS. I was expecting some silly answer involving couriers being intercepted
but this is just as bad.

> 3\. Now a hacker that accesses the network can get to your OTP bits.

Which is on an internal network so is not exposed (unlike the contents of a
VPN which necessarily goes external) so can be more secure. While nothing's
unhackable it adds an extra layer to break through.

That the article says "It was very sophisticated and targeted the VPN which
connected the company to Airbus" shows the VPN was the weak link, and not the
internal networks. So harden the weakest link.

------
c3534l
The way I figure, if a sophisticated attack is so sophisticated that it can
only be state-sponsored, then it is sophisticated enough to appear to be
sponsored by another country.

~~~
pg_bot
Your problem here is ability and motive. What other countries are capable of
executing this attack and would want to steal this information? As far as I
know Comac is the only company that is attempting to build planes that rival
Boeing and Airbus for commercial flight so you have your motive. The Chinese
have a history of corporate espionage (lookup Huawei and Nortel) and given
that Comac is a state owned company you can clearly understand why they would
try to steal information.

If you're trying to frame someone, there has to be a plausible explanation for
why you would do it.

~~~
dirtyid
>Comac is the only company that is attempting to build planes that rival
Boeing and Airbus

Boeing also competes with Airbus, as in actively competes in real dollar terms
compared to Comac which is more or less aspirational. Given their current
situation they have as much incentive to hack Airbus, plus they've been
accused recently:

Airbus to sue NSA, German spies accused of swiping tech secrets

>European aerospace giant Airbus is promising legal action over claims its top
blueprints were stolen by German spies and given to America's intelligence
agencies.

[https://www.theregister.co.uk/2015/04/30/airbus_us_german_in...](https://www.theregister.co.uk/2015/04/30/airbus_us_german_intelligence/)

My view is that both Boeing and Comac is actively stealing from airbus because
why wouldn't they?

~~~
mikhailfranco
Yes, US/NSA/Boeing must at least be under suspicion in these circumstances.

As the Comac C919 approaches certification and full production, airlines,
especially Chinese ones, will delay orders, to wait and see, or actively
prefer the C919 over the 737 series. Even if the C919 is delayed with the
usual teething troubles, many customers will decide to wait, or buy Airbus if
they have to.

At this point, Boeing is the weakest of the three competitors in the mid-size
market, and must be desperate to do anything to survive.

------
joaomacp
Out of curiosity: why is China not mentioned in the article's title, when the
first sentence states a "Chinese state-sponsored hacking operation"?

~~~
eganist
It took my vouch to un-dead your comment, useful because I couldn't reply to
it otherwise. I'm morbidly fascinated as to how the _top two comments on this
submission were marked_ dead _in the first place,_ but considering it took a
vouch to automatically bring it back to life, there's a hint of a Flag brigade
on this thread.

To answer your comment: because the title of the submission "Airbus Suppliers
Hit in State-Sponsored Attack" and the title of the article "Airbus Suppliers
Hit in State-Sponsored Attack" are identical, and that's totally fine.
Changing the title of the submission to include a detail from the article
actually editorializes the submission, which is not ideal for HN or the
audience here.

~~~
dang
Please don't post insinuations of astroturfing or similar manipulation ("Flag
brigade") without evidence. If you're concerned about abuse, please follow the
site guidelines and email hn@ycombinator.com so we can look into it.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
eganist
Hm, I didn't bucket flag-brigading into the astroturfing bucket (specifically
because they're quite different - one suppresses speech whereas the other
purports to be grassroots speech). Your point is well taken, but going forward
dang, there's value in adding the "or similar manipulation" qualifier to the
current iteration of guidelines:

> Please don't make insinuations about astroturfing. It degrades discussion
> and is usually mistaken. If you're worried, email us and we'll look at the
> data.

Hopefully this comment is viewed as both the acknowledgement as well as the
constructive feedback it's intended to be.

~~~
dang
For sure it's constructive. I'll see about expanding the wording.

Edit: ok, done.
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
KoftaBob
Interesting how Boeing and Airbus don't manufacture in China, and
coincidentally China hasn't been able to produce any viable competitor to
those products.

Goes to show that without easy access to product blueprints/IP at the
factories, China is very slow to actually innovate on their own. Hence why I
feel the "China will outpace everyone in tech and take over the world" is
super overblown.

Even their university culture practically encourages cheating in classes to
pass, so you have generations of students graduating with weak understanding
of the fundamentals. The US is obviously not a perfect meritocracy, but China
is super far from that.

An economic model where American/European/Japanese/Korean tech is stolen and
then friends of politicians are gifted CEO positions of companies that clone
that stolen tech...not sustainable at all. If you want a painful example of
what I'm talking about, watch the AI debate between Jack Ma and Elon Musk.
It's so clear that Ma has an absolutely minuscule understanding of the AI
landscape.

When robotic manufacturing eventually becomes cheaper and faster than
manufacturing in China, meaning they'll no longer have IP to steal, they are
in huge trouble.

~~~
jcoffland
Wow, these are some seriously racist comments.

~~~
KoftaBob
What does race have to do with any of this? I'm discussing their government's
economic and academic model. That's like saying criticism of America's
healthcare system is racist against whites, because that's their majority
ethnic group.

If anything, it says a lot about you that you associated everything I said
with their ethnicity rather than the government itself.

~~~
IfOnlyYouKnew
The term "racism" includes both race-based as well as ethnicity-based
stereotyping. See, for example, Wikipedia:

[https://en.wikipedia.org/wiki/Racism](https://en.wikipedia.org/wiki/Racism)

The idea of Chinese companies/universities/etc. being uncreative and over-
reliant on imitation and industrial espionage is quite obviously a somewhat
tired cliché. I'm certain it makes an appearance in almost every single front
page comment threat on the Chinese economy of the last five years or so.

There might even be a kernel of truth. But, as others have pointed out, the
same was said of Japan and Taiwan before. In such a situation, you should be
wary of repeating such stereotypes if you don't have first-hand experience,
which I doubt many of those regurgitating that trope have.

------
ga-vu
Original report: [https://www.france24.com/en/20190926-airbus-hit-by-series-
of...](https://www.france24.com/en/20190926-airbus-hit-by-series-of-cyber-
attacks-on-suppliers)

Link to the actual source, please. This is a rehash (abhorrent blog spam) of a
proper news report.

~~~
dang
Thanks! Url changed from [https://www.infosecurity-magazine.com/news/airbus-
suppliers-...](https://www.infosecurity-magazine.com/news/airbus-suppliers-
hit-in/).

------
cde-v
Seems like Boeing is getting pretty desperate to fix their MCAS issues.

------
ggm
Without wanting to dive into the politics cesspool, In general I'd favour
sharing IPR on RAND terms, rather than locking it up as special secret sauce.
I think if Comac is struggling to learn how to make safe aircraft, then
helping them is "build a better world" more than fighting them at the
firewall.

------
potatofarmer45
I used to complain so bitterly that the computers I had for AI research work,
despite being a flavor of Linux, had no access to any sort of networking,
making the installation of basic packages a pain.

It turns out the safest way, barring spies who willingly steal, is provide no
entry/exit points for data. For smaller organizations or small divisions
that's feasible, but super hard to maintain at larger divisions.

~~~
qaq
Having seen what a competent Red team can do that is not much of a barrier if
information its valuable enough

------
rossdavidh
So, it used to be that saying anything remotely skeptical about Bitcoin was
the way to get downvoted on HN. Nowadays, it seems that saying anything
negative about China is how.

Although, in the field of aeronautics, it is not like China is the only "state
sponsor" to engage in espionage, or that this is anything new for any of the
major powers.

~~~
dang
It's not remotely close to true that negative comments about China are "the
way to get downvoted on HN". On the contrary, HN's demographic, while quite
international, is almost all Western, and for better or worse it follows
geopolitical trends and the leads set by government and media.

When we have to ask commenters not to take HN threads into nationalistic
flamewar, it's usually because of generic nationalistic rhetoric against
China. This happens often enough that we routinely get accused of being pro-
Chinese. We're not, of course. We're against nationalistic flamewar,
regardless of who is flaming or being flamed, because it's against HN's rules
and destructive of the spirit of this site.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
rossdavidh
I appreciate HN doing their best to keep discussion in a productive zone and
out of flamewar territory. I enjoy HN a lot, which is very different from most
sites that allow comments.

However, comparing my parent comment here to the average for most comments I
make, or comparing it to comments related to Russia, France, Germany, or any
other major nation-state, I have to say that the empirical evidence does not
support your statement. :)

But, again, I appreciate HN discussions and the efforts to keep it a
productive discussion.

------
stanski
I hear good things about this MCAS thing Boeing is doing. Maybe it's worth
copying.

~~~
JadeNB
Maybe you're being sarcastic, but this seems unrelated. The attacks are on
internal networks with an attempt to gain unauthorised access to technical
data; it seems to have nothing directly to do with attacks on the software
that directly flies the plane.

~~~
magduf
No, but perhaps it is coming from the same organization that thought MCAS was
a great idea. After all, such an organization obviously has severe
deficiencies with basic systems engineering; what other deficiencies might it
have?

~~~
qubex
That’s a cheap shot and a risible one at that. The hierarchy of decision-
makers who designed and implemented MCAS and the hierarchy of decision-makers
who handle the information security at Boeing is (as I’m sure you’re well
aware) so far removed and unrelated to each-other as to be essentially
distinct. Conway’s Law doesn’t really apply here.

~~~
wil421
Exactly. A rogue bunch of MCAS engineers hacking Airbus is not based on any
kind of reality.

------
raxxorrax
My first question would be if the Chinese hacker is American looking or if he
is named Boejing Wang or something like that.

Jokes aside there are a huge number of mobile devices with saved credentials
for exclusive business VPN access and a lot of businesses restrict access to
resources based on the source of requests, which can be the corporate network
of a supplier. This is often done to enable some forms of electronic data
interchange. Putting these services in another network would probably have
helped.

It would be my guess that the hacker gained access through a privileged
network with stolen VPN credentials. There would be countless ways to achieve
that.

Perhaps pickpockets should just sell the stolen phones to relevant companies.

~~~
taxidump
I am not following your borderline racist comment about a name. Why do you
assume stolen credentials? Low hanging fruit could be the entry point, but
advanced attacks are common with state actors so this is highly assumptive and
brings nothing to the discussion.

