Chinese national accused by Feds of spear-phishing for NASA, military source code

A Chinese national has been accused of conducting a years-long spear-phishing campaign that aimed to steal source code from the US Army and NASA, plus other highly sensitive software used in aerospace engineering and military applications.

At least some of the spears hit their targets, and some of this restricted software made its way to China, according to a Department of Justice announcement and an indictment [PDF].

The accused, Song Wu, 39, remains at large and has been charged with 14 counts of wire fraud and 14 counts of aggravated identity theft.

The DoJ claims Song was employed as an engineer at Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate headquartered in Beijing. While in that role, Song allegedly started to send phishing emails around January 2017 and continued through December 2021.

The mails appeared to have been sent by targets' colleagues and associates, and sought highly specialized, restricted software used in aerospace engineering, computational fluid dynamics and other industrial and military applications – such as advanced missile and weapon development.

Song is alleged to have sent messages to people who worked for the US government – including NASA, the Air Force, Navy, and Army, and the Federal Aviation Administration. He also phished individuals employed by major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio, and with private sector companies that work in the aerospace field, we're told.

One email cited in the indictment – sent on April 28, 2020 from one such "imposter email account" to "Victim 2" – requested NASCART-GT, which appears to be used in NASA projects.

• Feds pull plug on domains linked to import of Chinese gun conversion devices
• Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
• China's quantum* crypto tech may be unhackable, but it's hardly a secret
• Feds pull plug on domains linked to import of Chinese gun conversion devices

The email read: "Hi [Victim 2], I sent Stephen an email for a copy of NASCART-GT code, but got no response right now. He must be too busy. Will you help and sent (sic) it to me?"

Some of the scams worked, according to the DoJ.

While the indictment doesn't detail exactly what sensitive IP Song is alleged to have stolen, it does note that: "In some instances, the targeted victim, believing that defendant SONG … was a colleague, associate, or friend requesting the source code or software electronically transmitted the requested source code or software to defendant Song."

If snared and convicted, Song faces a maximum penalty of 20 years in prison for each count of wire fraud. He also faces two-year penalties in prison for each count of aggravated identity theft. ®