Full Report
The Office of Inspector General (OIG) of the U.S. National Aeronautics and Space Administration (NASA) has revealed how a Chinese national posed as a U.S. researcher as part of a spear-phishing campaign to obtain sensitive information from the space agency, as well as from government entities, universities, and private companies, in violation of export control laws. "For years, NASA employees
Analysis Summary
# Incident Report: Chinese Spear-Phishing Campaign Targeting U.S. Aerospace Software
## Executive Summary
A Chinese national, Song Wu, orchestrated a multi-year spear-phishing campaign by impersonating U.S.-based researchers and colleagues to deceive NASA employees and defense contractors. The operation successfully obtained sensitive proprietary software and source code used for aerospace design and weapons development. The incident has resulted in federal indictments and highlighting significant vulnerabilities in the informal sharing of export-controlled technology.
## Incident Details
- **Discovery Date:** September 2024 (Public announcement of charges)
- **Incident Date:** January 2017 – December 2021
- **Affected Organization:** NASA, U.S. Air Force, Navy, Army, FAA, various universities, and private sector firms.
- **Sector:** Government/Aerospace/Defense/Academia
- **Geography:** United States (Target), China (Origin)
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing January 2017
- **Vector:** Spear-phishing via email.
- **Details:** The attacker engaged in extensive reconnaissance to impersonate known colleagues and friends of the targets.
### Lateral Movement
- **Details:** The attacker did not utilize technical lateral movement (e.g., SMB/RDP) but rather practiced "social" lateral movement by leveraging the names of trusted researchers to request access from different departments and organizations.
### Data Exfiltration/Impact
- **Details:** Sensitive defense technology, modeling software for aerospace design, tactical missile development code, and proprietary source code were emailed directly to the attacker by victims.
### Detection & Response
- **How it was discovered:** Investigations by the NASA OIG, FBI, and Department of Justice.
- **Response actions taken:** Federal indictment of Song Wu in September 2024; inclusion of the suspect on the FBI's Most Wanted list.
## Attack Methodology
- **Initial Access:** Spear-phishing and Social Engineering.
- **Persistence:** Maintaining long-term correspondence under false identities (Business Email Compromise style).
- **Defense Evasion:** Use of impersonation and deceptive email accounts to mimic trusted U.S. domestic personas.
- **Discovery:** Open-source research on U.S. professors and engineers to identify those with access to desired software.
- **Collection:** Gathering sensitive software and proprietary source code via direct email attachments.
- **Exfiltration:** Standard outbound SMTP (email) transfer initiated by the victims themselves.
- **Impact:** Violation of U.S. export control laws and potential compromise of U.S. military aerodynamic advantages.
## Impact Assessment
- **Financial:** High potential loss related to R&D costs of stolen proprietary aerospace software.
- **Data Breach:** Compromise of sensitive defense software and export-controlled technical data.
- **Operational:** Potential erosion of technological superiority in missile and aerospace design.
- **Reputational:** Public exposure of gaps in NASA and DOD internal software sharing and export control compliance.
## Indicators of Compromise
- **Behavioral indicators:**
- Multiple requests for the same software without adequate technical justification.
- Requests for "informal" transfers of software bypassing official procurement channels.
- Requests involving unusual payment methods or abrupt changes in communication tone.
## Response Actions
- **Containment:** Termination of communication with known fraudulent accounts.
- **Eradication:** Legal action and public outing of the perpetrator (Song Wu).
- **Recovery:** NASA OIG published guidance to employees on identifying export fraud schemes.
## Lessons Learned
- **Key takeaways:** Social engineering remains a highly effective vector for bypassing sophisticated technical defenses, especially when leveraging the "trust" culture of academic and research collaboration.
- **Process Gaps:** Employees failed to verify the identity of "colleagues" through secondary channels before transferring export-controlled data.
## Recommendations
- **Strict Verification:** Implement mandatory multi-factor verification (out-of-band contact) before sharing any proprietary or export-controlled software.
- **Export Control Training:** Conduct specialized training for researchers on "Deemed Exports" and the risks of sharing data with unverified domestic entities.
- **Email Security:** Implement advanced phishing protection that flags emails from external domains that closely mimic internal or known-partner display names.