The NASA Office of Inspector General (OIG) has disclosed details of a sophisticated spear‑phishing and cyber‑espionage campaign in which a Chinese national allegedly posed for years as U.S. researchers to obtain sensitive aerospace and defense software. By exploiting trust in the scientific community, the attacker persuaded engineers and academics to share controlled modeling tools and source code, potentially violating U.S. export‑control laws.
How the NASA spear‑phishing campaign targeted aerospace and defense software
According to NASA OIG and the U.S. Department of Justice, many NASA personnel and external partners believed they were collaborating with legitimate American colleagues when they shared specialized software. In reality, they were sending aerospace modeling tools and source code to a Chinese citizen impersonating U.S. scientists and engineers.
In September 2024, the Department of Justice announced charges against Song Wu, a 40‑year‑old Chinese national. Prosecutors allege that from January 2017 to December 2021 he orchestrated a long‑running operation that targeted dozens of professors, researchers, and engineers across the United States.
The victim pool reportedly included personnel from NASA, the U.S. Air Force, Navy, Army, the Federal Aviation Administration (FAA), major research universities, and private high‑tech companies. The primary objective was to obtain advanced modeling software used for aerospace design and for calculating the performance characteristics of weapons systems.
Charging documents state that Wu worked as an engineer at Aviation Industry Corporation of China (AVIC), a large state‑owned aerospace and defense conglomerate. He and alleged co‑conspirators are accused of profiling targets by reviewing published papers, professional biographies, and conference activity, then crafting highly tailored emails that mimicked the language, topics, and communication patterns of genuine peers.
This approach exemplifies spear‑phishing—a targeted form of phishing in which messages are customized to specific individuals or organizations, as opposed to generic mass spam. Because the emails referenced real research, conferences, and colleagues, and appeared to come from familiar names, the likelihood of successful social engineering was significantly increased.
Export‑control implications and criminal charges in the NASA phishing case
NASA OIG notes that the scheme succeeded in multiple instances: some scientists and engineers did in fact transfer confidential software and source code to attacker‑controlled accounts. Many of them reportedly did not realize that, by sending such tools abroad—or to a foreign person, even electronically—they may have been triggering U.S. export‑control obligations under frameworks such as the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).
Wu is charged with one count of wire fraud and 14 counts of aggravated identity theft, involving the alleged impersonation of U.S. engineers and researchers. Wire fraud carries a maximum penalty of up to 20 years’ imprisonment per count. Aggravated identity theft mandates an additional two‑year sentence for each count, to be served consecutively. U.S. authorities state that Wu remains at large and has been placed on the FBI’s wanted list.
The FBI assesses that the stolen aerospace modeling software could have both civilian and military applications, including use in the design of high‑precision tactical missiles and aerodynamics simulations for advanced weapons. This aligns with broader intelligence reporting that nation‑state actors prioritize dual‑use technologies that can enhance both commercial and defense capabilities.
Key cybersecurity lessons for research, aerospace, and defense organizations
Recognizing red flags of export‑control and phishing fraud
Even highly customized spear‑phishing campaigns typically leave detectable traces. In this case, several warning signs could have indicated fraudulent activity. Repeated requests for the same software from different email addresses, or from someone claiming to be the same individual without a credible explanation, should trigger scrutiny and internal review.
Another indicator is the use of unusual or opaque payment and procurement methods, such as sudden changes in the paying institution, reliance on intermediaries with no clear connection to the project, or pressure to bypass standard contracting and compliance checks.
Equally concerning are non‑standard data transfer channels. Requests to send software, activation keys, or source code outside official repositories—such as to personal email accounts, consumer cloud storage, or atypical collaboration platforms—are classic hallmarks of both phishing and export‑control evasion.
These red flags align with broader industry findings. Multiple editions of the Verizon Data Breach Investigations Report have shown that the human element—including phishing and social engineering—contributes to the majority of breaches, and nation‑state campaigns against universities and defense contractors frequently begin with tailored phishing emails.
Practical defenses for scientists, engineers, and research institutions
The NASA case illustrates that technical expertise does not automatically translate into security awareness. To reduce exposure, organizations handling sensitive research and defense‑related data should first formalize software and source‑code transfer processes. Every transfer of controlled tools should go through approved channels, with documented recipients, use cases, and sign‑off from export‑control and information‑security officers.
Second, teams should verify the requester’s identity through independent channels. Do not rely solely on an email address or a signature block. Verification via official institutional contact directories, direct phone or video calls, and established partner registries significantly lowers the risk of impersonation and account takeover.
Third, security awareness training for researchers must be continuous and context‑specific. Scientists and engineers should understand how spear‑phishing works, which software and data fall under export‑control regimes, and how to escalate suspicious requests. Realistic simulations and tabletop exercises help bridge the gap between policy and daily practice.
Fourth, organizations should enforce least‑privilege access to specialized tools, combined with multi‑factor authentication and robust logging. Limiting who can access modeling software, and closely auditing download and sharing activity, reduces the blast radius if an individual account is compromised.
Finally, export‑control checks should be embedded into IT workflows. Data loss prevention (DLP) solutions, automated screening of external recipients against sanctions and watch lists, and approval gates for sharing sensitive tools externally can prevent inadvertent exports to prohibited or high‑risk entities.
The story of the alleged spear‑phishing campaign led by Song Wu underscores that cyber‑espionage against scientists, engineers, and research institutions is systematic and ongoing. Organizations developing cutting‑edge technologies should treat every external request for modeling software, source code, or test data as a potential risk scenario. Strengthening people, processes, and governance around collaboration is as important as securing networks and endpoints, and remains one of the most effective ways to deny attackers the easy victories they seek.
