A defense software theft phishing campaign orchestrated by Chinese national Song Wu, a 39-year-old engineer at Aviation Industry Corporation of China (AVIC), has been exposed by NASA investigators after nearly five years of targeting U.S. defense and aerospace institutions. The scheme, which ran from January 2017 through December 2021, reveals how state-linked actors systematically impersonated American researchers to trick victims into surrendering restricted software that forms the backbone of U.S. military and civilian aerospace development.
Key Takeaways
- Song Wu, an AVIC engineer, led a five-year phishing campaign targeting NASA, military branches, universities, and aerospace companies across the United States.
- The campaign used fake Gmail accounts impersonating U.S. researchers, professors, and colleagues to request specialized aerospace software.
- Victims unknowingly shared NASA-developed tools and restricted software designated for U.S. government use only, violating export control laws.
- The Department of Justice unsealed a 28-count indictment in September 2024, charging Wu with wire fraud and aggravated identity theft.
- Song Wu remains at large and faces up to 20 years in prison per wire fraud count, plus additional penalties for identity theft.
How the Defense Software Theft Phishing Campaign Operated
The defense software theft phishing operation was methodical and extensive. Wu and unknown co-conspirators created fake Gmail accounts impersonating U.S. researchers, professors, engineers, friends, and colleagues. They conducted extensive target research to identify victims working on sensitive aerospace projects at NASA, the U.S. Air Force, Navy, and Army, as well as the Federal Aviation Administration and major universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio. Private aerospace companies were also targeted. Victims received convincing emails requesting access to specialized software, and many complied, believing they were communicating with trusted colleagues.
According to NASA Office of Inspector General investigators, the scheme exploited trust within the aerospace research community. As the NASA OIG stated, for years NASA employees and research collaborators thought they were simply sharing software with colleagues when they were actually emailing sensitive defense technology to a Chinese national impersonating U.S. engineers. The campaign demonstrates how phishing remains devastatingly effective even against highly trained technical professionals who operate in secure environments.
Restricted Aerospace Software Targeted in the Campaign
The defense software theft phishing campaign specifically sought restricted and proprietary tools essential to U.S. aerospace and military development. Wu requested CBAero, a NASA-developed tool for predicting conceptual aero-thermodynamic environments of aerospace configurations, designated for U.S. release only. He also targeted the Direct Simulation Monte Carlo Analysis Code (DAC), used for simulation and analysis of low-density flow fields and restricted to U.S. government use. In total, at least eight applications were requested, covering computational fluid dynamics, aerospace modeling, and weapons development analysis.
The targeting of these specific tools reveals sophisticated knowledge of U.S. aerospace capabilities. Wu was not requesting generic software or outdated tools, but rather latest NASA-developed systems that provide competitive advantages in aircraft design, missile development, and aerodynamic analysis. Victims unwittingly shared source code and software that violated U.S. export control laws, potentially transferring years of accumulated research and development directly to a state-owned Chinese aerospace and defense conglomerate.
NASA Investigation Uncovers Years of Systematic Espionage
The NASA Office of Inspector General’s Cyber Crimes Division initiated the investigation after receiving a report of a fake Gmail account posing as an aerospace professor. Once investigators began examining the phishing campaign, they discovered the scope was far larger than initially apparent. The five-year timeline from 2017 to 2021 indicates Wu operated with relative impunity for years before detection. As NASA OIG emphasized, this was not an isolated incident—the pattern of targets, methods, and requests suggests a sustained, organized effort.
The U.S. Department of Justice unsealed a 28-count indictment against Song Wu in September 2024, charging him with wire fraud and aggravated identity theft. Wire fraud carries sentences of up to 20 years per count, meaning Wu faces potential decades in federal prison if convicted. However, Song Wu remains at large, likely protected by the Chinese government, which raises questions about whether extradition or prosecution will ever occur.
Broader Context: Chinese State-Linked Technology Acquisition
The defense software theft phishing campaign fits into a documented pattern of Chinese state-linked actors targeting U.S. technology. In 2020, the Department of Justice indicted five Chinese nationals associated with APT41 (also known as Brass Typhoon, Wicked Panda, and Winnti) for hacking more than 100 companies across multiple sectors. A year later, in 2021, the DoJ indicted Jia Wei, a People’s Liberation Army officer, for hacking a U.S. communications firm. These cases demonstrate that Song Wu’s phishing campaign is one thread in a larger mix of Chinese espionage targeting American innovation.
Unlike some of these other campaigns that relied on zero-day exploits or network penetration, the defense software theft phishing approach is lower-tech but highly effective. It requires no sophisticated hacking tools, no vulnerability discovery, and no network access—just convincing impersonation and social engineering. This makes it scalable and difficult to defend against, particularly when victims are accustomed to collaborating with international researchers and sharing research materials.
What Does This Mean for U.S. Aerospace Security?
The exposure of the defense software theft phishing campaign raises urgent questions about how U.S. institutions protect sensitive technology. NASA and military contractors now face pressure to implement stricter controls on software sharing, verify the identity of requesters through out-of-band channels, and educate personnel about the risks of phishing targeted at researchers. The fact that the campaign operated for nearly five years without detection suggests that existing security awareness programs were insufficient to stop a determined, well-resourced adversary.
Song Wu’s engineering position at AVIC—a state-owned aerospace and defense conglomerate founded in 2008 and headquartered in Beijing that manufactures both civilian and military aircraft—indicates that the software theft served direct strategic purposes for Chinese aerospace development. Every tool obtained, every line of source code shared, and every design methodology learned potentially accelerated Chinese military and civilian aircraft programs while reducing development timelines and costs.
Was this phishing campaign part of a larger Chinese espionage operation?
Yes. The defense software theft phishing campaign aligns with documented Chinese strategies for technology acquisition, including forced transfer agreements and intellectual property theft. The targeting of multiple U.S. military branches, NASA, universities, and private companies suggests coordination beyond a single actor, though Song Wu appears to have been the primary operator.
How did NASA investigators discover the phishing campaign?
The NASA Office of Inspector General’s Cyber Crimes Division began investigating after receiving a report of a fake Gmail account impersonating an aerospace professor. Once the initial report triggered an investigation, the scope of the five-year campaign became apparent, leading to the identification of Song Wu and the 28-count indictment.
What happens now that Song Wu has been indicted?
Song Wu remains at large, likely in China, where extradition is unlikely given U.S.-China relations and the Chinese government’s protection of its nationals engaged in state-sponsored activities. The indictment serves primarily as a formal accusation and a warning to other would-be perpetrators, though prosecution requires Song Wu’s apprehension and extradition—a scenario that appears remote at present.
The defense software theft phishing campaign represents a watershed moment for U.S. aerospace security. It proves that even the most restricted, classified-adjacent software can be stolen through patient, methodical social engineering. NASA and the Department of Defense must now confront an uncomfortable reality: traditional network security and encryption are insufficient when the human element remains vulnerable to sophisticated impersonation. The five-year operation demonstrates that determined state actors will exploit this weakness relentlessly, making personnel security training and verification protocols as critical as firewalls and intrusion detection systems.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
