Spearphishing

NASA Employees Duped: Chinese Engineer Stole Defense Software Via 5-Year Phishing

The CyberSignal

The CyberSignal

3 min read
Share
Minimalist white line art of a rocket ship silhouette being "pulled" by a fishing hook, overlaid on a solid forest green background.

AVIC engineer Song Wu impersonated U.S. researchers to harvest NASA aerospace modeling software. Faces 300+ years if convicted. NASA OIG exposes China’s IP theft pipeline.

WASHINGTON, D.C. — In a staggering breach of national security, NASA’s Office of Inspector General (OIG) has detailed how a Chinese national successfully weaponized spear-phishing to siphon export-controlled aerospace software from the heart of the U.S. defense establishment. For five years, Song Wu, an engineer at the state-owned Aviation Industry Corporation of China (AVIC), allegedly tricked NASA employees and military personnel into handing over source code that directly fuels China’s military aircraft production.

The campaign, which ran from 2017 to 2021, didn't just target NASA. It spanned the Air Force, Navy, Army, FAA, and several major research universities. The result was a direct pipeline of American intellectual property flowing into the development of China’s J-20 stealth fighters and Z-20 helicopters.

The Method: A 5-Year Masterclass in Social Engineering

Song Wu’s Tactics, Techniques, and Procedures (TTPs) were deceptively simple but devastatingly effective. According to the NASA OIG, his spear-phishing defense bypass relied on building high levels of trust.

  1. Target Research: Wu used LinkedIn and academic journals to identify U.S. researchers and engineers working on high-fidelity aerospace modeling.
  2. Impersonation: He created Gmail accounts that mimicked the names and institutional affiliations of genuine U.S. colleagues.
  3. The Ask: He sent repeated requests for copies of proprietary software, often referencing mutual projects or connections to lower the victim’s guard.
  4. The Extraction: NASA and military employees, believing they were assisting a peer, emailed source code that was strictly controlled under ITAR (International Traffic in Arms Regulations).

Chinese State-Owned Enterprise (AVIC): The Architecture of Theft

Song Wu is not an independent actor; he is an employee of AVIC, a Chinese state-owned enterprise (SOE) that consolidates the country's military aircraft production. AVIC’s role in nation-state cyber operations is well-documented, with a clear strategy of using stolen IP to reverse-engineer U.S. technology for missile and warhead design.

Spear-Phishing TTPs (NASA OIG Analysis)

Song Wu’s campaign was a masterclass in spear-phishing social engineering. Rather than using automated "spray and pray" tactics, Wu focused on high-touch research and long-term trust building to bypass standard cybersecurity defenses.

NASA OIG: Spear-Phishing "Red Flags"
Indicator TTP Detail
Sender Domain Gmail accounts used to mimic official institutional emails.
Request Pattern Multiple identical software requests sent to peers simultaneously without project justification.
Network Latency Non-U.S. IP patterns detected in email headers (Geo-fencing failure).

The What & The Who

  • Target Research: Targets were selected based on LinkedIn profiles and recent academic publications to ensure the request felt "current."
  • Impersonation: Wu created Gmail accounts mimicking the names and institutional affiliations of genuine U.S. researchers.
  • Persistence: He utilized "repeated asks," often referencing mutual colleagues to create a false sense of legitimacy.

The Victim Landscape: 5 Federal Branches & 6 States

The scale of the "Song Wu campaign" underscores a systemic vulnerability in how the U.S. manages its supply chain of technical information.

Song Wu Campaign: Impacted Entities (2017–2021)
Sector Impacted Entities / Tech
Federal Agencies NASA, Air Force, Navy, Army, FAA
Academic Universities in GA, MI, MA, PA, IN, OH
Private Sector Multiple unnamed aerospace contractors
Targeted Tech Aerodynamic modeling for weapons/missile development

Investigation Breakthrough

The trigger for the investigation was a suspicious Gmail account that attempted to impersonate a known NASA collaborator. This led the NASA OIG's Cyber Crimes Division (CCD) into a multi-year joint task force with the FBI. The resulting indictment, unsealed in the Northern District of Georgia, charges Wu with 14 counts of wire fraud and 14 counts of aggravated identity theft.

The CyberSignal Analysis: Strategic Signals

Signal 01 — The "Peer-to-Peer" Vulnerability

This incident exposes a cultural flaw in the scientific community: the instinct to collaborate often overrides the instinct for security. By targeting researchers instead of high-level executives, Wu bypassed traditional corporate defenses.

Signal 02 — The 5-Year Dwell Time

The fact that this campaign lasted half a decade across multiple military branches highlights a lack of centralized monitoring for export-controlled software requests. It proves that spearphishing remains the most cost-effective tool for nation-state IP theft.

While Song Wu faces a theoretical sentence of over 300 years, he remains at large in China and is currently on the FBI's Most Wanted list. This reinforces a grim reality: for state-sponsored actors, there are few consequences beyond restricted travel as long as they remain within their borders.

Sources

Type Source
Official NASA OIG: Investigating Song Wu
Technical The Hacker News: 5-Year Campaign Unpacked
Indictment FedScoop: DOJ Charges Chinese National

Read more