What happened
NASA’s Office of Inspector General has released details of a multi-year spear-phishing campaign in which a Chinese national posed as US researchers and engineers to obtain sensitive defense and aerospace software from NASA employees, government agencies, universities, and private companies in violation of US export control laws.
The individual identified in the campaign is Song Wu, an engineer at the Aviation Industry Corporation of China, a Chinese state-owned aerospace and defense conglomerate. Song and co-conspirators conducted extensive research on their targets and impersonated colleagues, friends, and fellow researchers to request proprietary software and source code. The scheme ran from January 2017 to December 2021. Victims who shared software with the impostor accounts did so believing they were corresponding with legitimate colleagues and did not realize they were violating export control laws.
The Department of Justice announced charges against Song in September 2024, indicting him on wire fraud and 14 counts of aggravated identity theft. He faces up to 20 years per wire fraud count and an additional consecutive two-year sentence for aggravated identity theft. Song, now 40, remains at large and has been added to the FBI’s Most Wanted list. The FBI has stated the targeted software has applications in industrial and military contexts including advanced tactical missile development and aerodynamic weapons assessment.
The OIG noted that Song’s scheme included detectable behavioral patterns: he made multiple requests for the same software without justification, and the broader category of export control phishing schemes often involves unusual payment methods, abrupt changes in payment terms, and unconventional file transfer methods designed to mask identity and evade shipping restrictions.
Who is affected
NASA employees and research collaborators are the confirmed primary victims, along with personnel at the Air Force, Navy, Army, and Federal Aviation Administration, as well as researchers at major universities and private sector firms. Any organization whose employees collaborate with external researchers on sensitive aerospace, defense, or dual-use software is relevant to this threat profile.
Why CISOs should care
The campaign succeeded not through technical exploitation but through trust. Victims shared proprietary software because they believed they were helping colleagues. That social dynamic, research communities built on collaboration and information sharing, is exactly what makes this attack model effective and difficult to counter through standard security controls alone.
The OIG’s disclosure of detectable behavioral patterns is the most actionable part of this story. Repeated requests for the same software without explanation, unusual transfer methods, and payment irregularities are signals that export control training should teach employees to recognize and escalate. The five-year window of the campaign also illustrates how long this kind of low-volume, relationship-based espionage can run undetected.
3 practical actions
- Implement export control awareness training that includes spear-phishing recognition: Employees who handle proprietary aerospace, defense, or dual-use software need training specific to export control fraud, including the behavioral red flags the OIG identified: repeated software requests without justification, unconventional transfer methods, and unverifiable colleague identities.
- Establish verification protocols for external software sharing requests: Any request to share proprietary software or source code with an external party should require identity verification through a channel independent of the original request, particularly when the requestor is known only through email or online collaboration.
- Audit outbound transfers of sensitive software and source code: Review whether your organization has visibility into what software is being shared externally via email or file transfer, and whether current data loss prevention controls would flag or block transfers of export-controlled technical files to unverified recipients.
Also in the news today:
- Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data
- Over 10,000 Zimbra Servers Vulnerable to Ongoing XSS Attacks
- Firestarter Malware Survives Cisco Firewall Updates and Security Patches
- ADT Confirms Data Breach After ShinyHunters Leak Threat
- Threat Actor Uses Microsoft Teams to Deploy New Snow Malware Suite
- Pentagon Grapples With Securing AI as It Moves Toward Autonomous Warfare
- Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions