Emerging ThreatsMalware & Ransomware

NASA Targeted in Chinese Phishing Scheme for U.S. Defense Software

Analyst 207||Source: TheHackerNews
NASA employees work at desks with laptops and computers in a well-lit office setting.

"For years, NASA employees and research collaborators thought they were simply sharing software with colleagues," the Office of Inspector General (OIG) said in a Thursday release — a plain sentence that, according to the OIG, masks a multi-year deception that funneled sensitive U.S. aerospace and defense software to a Chinese national posing as a U.S. researcher.

The OIG's findings

The NASA Office of Inspector General reported that a spear-phishing campaign used impersonation to obtain modeling software and related material from NASA employees and research partners. In some "handful of cases," the OIG said victims shared sensitive defense technology with imposter accounts without realizing they were violating U.S. export control laws. The campaign targeted not only NASA but also government agencies, universities, and private companies.

The DOJ indictment and charges against Song Wu

Federal prosecutors identified the individual behind the scheme as 40‑year‑old Song Wu. The U.S. Department of Justice unsealed charges in September 2024 alleging Song orchestrated a campaign from January 2017 to December 2021 that targeted dozens of U.S. professors, researchers, and engineers. The indictment accuses Song of wire fraud and lists 14 counts of aggravated identity theft.

If convicted, Song faces statutory maximum sentences of 20 years in prison for each count of wire fraud, plus an additional two-year consecutive sentence for each aggravated identity theft count. Song remains at large.

AVIC and the sought-after modeling software

The indictment says Song was an engineer at the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate founded in 2008. Prosecutors allege that Song and co-conspirators sought modeling software "used for aerospace design and weapons development." The FBI, after adding Song to the U.S. Most Wanted List, warned that the specialized software could be used "for industrial and military applications, including the development of advanced tactical missiles and aerodynamic design and assessment of weapons."

How the spear-phishing scheme worked

According to the indictment and the OIG, the campaign relied on detailed pretexting and social engineering. Operatives conducted extensive research on targets and masqueraded as friends and colleagues — impersonating U.S. engineers — to persuade victims to share proprietary software and source code. The OIG highlighted specific behavioral clues in Song's pattern: he "made multiple requests for the same software and did not justify why he needed it."

The OIG also outlined transactional red flags common to export-control fraud: scammers often suggest unusual payment methods such as "suspicious wire transfers," abruptly change the terms or source of payment, and use unconventional transfer methods to mask identity and evade shipping restrictions. Those tactics, the OIG suggested, can betray otherwise convincing imposters.

What this means for NASA, the Air Force, and universities

  • NASA: The OIG’s account shows that routine collaboration can cross into export-control risk when identities are falsified; NASA-based researchers and collaborators will need to reassess file‑sharing practices and vetting of correspondents to avoid inadvertent exports.
  • The Air Force, Navy, Army, and FAA: These agencies were among those whose personnel were targeted. For them, the indictment underscores the intersection of operational technologies and export-control compliance — an area that may prompt reviews of how modeling tools and source code are requested and transferred.
  • Universities and private companies: Professors, researchers, and engineers at academic and commercial organizations were also targeted. The OIG’s findings call attention to the risk that academic collaboration channels can be exploited to move controlled software outside authorized channels.

The case laid out by the OIG and the DOJ has a clear throughline: social engineering converted ordinary professional exchanges into an alleged export-fraud operation that, prosecutors say, served a foreign state-owned enterprise. Song's indictment, the FBI’s warning about the potential military applications of the software, and the OIG’s account of behavioral red flags combine into a forensic checklist — and a reminder that the weakest link in a technical supply chain is often a human connection.

That human connection is why the most immediate unanswered detail is operational rather than legal: how many separate exchanges resulted in the transfer of controlled software, and whether additional victims or accounts remain unidentified. Song remains at large; the statutes he faces are severe. The factual record assembled by the OIG and the Department of Justice leaves clear what happened and who was affected — and it leaves open the question of how many other routine collaborations might already have been compromised.

Original story

AerospaceEmerging ThreatsImpersonationNation-StateSpear-PhishingSupply ChainNASAChinese Phishing SchemeU.S. Defense SoftwareExport Control
Related Intelligence

Continue Reading

Institutional building entrance with subtle tech elements, hinting at digital breach.

Kodak Breach Exposes Sensitive Data After ShinyHunters Hack

Kodak recently suffered a data breach at the hands of hackers known as ShinyHunters, who gained temporary access to sensitive company data. The company has launched a swift investigation with external cybersecurity experts and is working closely with law enforcement to mitigate the impact.

Analyst 207
Blurred laptop screen showing Joomla Content Editor interface in a tech office setting.

CISA Warns of Actively Exploited Joomla Flaw Enabling PHP Code Execution

A critical Joomla flaw, tracked as CVE-2026-48907, is being actively exploited, allowing attackers to upload and execute PHP code - and the US Cybersecurity and Infrastructure Security Agency (CISA) is warning users to take immediate action. A patch is available in version 2.9.99.5 of the Widget Factory Joomla Content Editor.

Analyst 207
Workers stand in a sugarcane field with industrial equipment in the foreground under a clear Australian sky.

Cyberattack Disrupts Australian Sugar Production

Mackay Sugar is making a sweet recovery after a cyberattack halted operations, with significant progress made over the weekend in restoring systems and a staged restart of crushing operations on the horizon. The company is getting back on track, with manual crushing already underway at its Farleigh Mill and harvesting expected to resume soon.

Analyst 207
Developer workstation with laptop and monitor, surrounded by notes and coffee cups, in a modern office with natural light.

Malicious JetBrains plugins steal AI API keys

Beware of malicious JetBrains plugins masquerading as helpful tools - at least 15 have been detected stealing AI API keys from unsuspecting developers, with a staggering 70,000 installations. These fake plugins have been secretly siphoning off sensitive information since October 2025.

Analyst 207