Pierluigi Paganini September 17, 2024

US DoJ charged a Chinese national who used spear-phishing emails to obtain sensitive info from NASA, the U.S. Air Force, Navy, Army, and the FAA.

The U.S. DoJ charged a Chinese national, Song Wu (39), who used spear-phishing emails to target employees of NASA, the U.S. Air Force, Navy, Army, and the FAA.”

The man, who remails at large, used fake email accounts posing as US-based researchers and engineers to target government personnel to obtain software and source code created by the National Aeronautics and Space Administration (“NASA”), research universities, and private companies.

The man allegedly conducted a multi-year spear-phishing campaign aimed at gathering specialized software used in aerospace engineering and computational fluid dynamics.

Song Wu sent spear-phishing emails to employees at major research universities and aerospace companies across several U.S. states, posing as colleagues or associates. The messages were crafted to trick victims into providing source code or software related to aerospace research and engineering.

“According to U.S. Attorney Buchanan, the indictment, and other information presented in court: Song allegedly engaged in a multi-year “spear phishing” email campaign in which he created email accounts to impersonate U.S.-based researchers and engineers and then used those imposter accounts to obtain specialized restricted or proprietary software used for aerospace engineering and computational fluid dynamics.” reads the press release published by DoJ. “This specialized software could be used for industrial and military applications, such as development of advanced tactical missiles and aerodynamic design and assessment of weapons.”

While carrying out spear phishing attacks, Song was employed as an engineer at Aviation Industry Corporation of China (“AVIC”), a Chinese state-owned aerospace and defense conglomerate headquartered.  AVIC is one of the largest defense contractors in the world.

The Chinese national faces 14 counts of wire fraud and 14 counts of aggravated identity theft. Each wire fraud charge carries a maximum sentence of 20 years in prison, with an additional mandatory two-year consecutive sentence for aggravated identity theft if convicted.

“Efforts to obtain our nation’s valuable research software pose a grave threat to our national security,” said U.S. Attorney Ryan K. Buchanan. “However, this indictment demonstrates that borders are not barriers to prosecuting bad actors who threaten our national security.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NASA)