Chinese Engineer Charged in U.S. for Years-Long Cyber Espionage Targeting NASA and Military

A Chinese individual has been accused in the U.S. on allegations of conducting a "multi-year" spear-phishing effort to get illegal access to computer software and source code generated by the individual Aeronautics and Space Administration (NASA), research institutions, and commercial firms.

Song Wu, 39, has been charged with 14 charges of wire fraud and 14 counts of aggravated identity theft. If convicted, he faces a potential penalty of a jail term of 20 years for each count of wire fraud and a two-year concurrent sentence in prison for aggravated identity theft.

He was working as an engineer with the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and military company created in 2008 and located in Beijing.

According to statistics given on AVIC's website, it has "over 100 subsidiaries, nearly 24 listed companies, and more than 400,000 employees." In November 2020 and June 2021, the corporation and several of its subsidiaries became the target of U.S. sanctions, preventing Americans from investing in the company.

Song is reported to have carried out a spear-phishing effort that involves establishing email accounts to resemble U.S.-based researchers and engineers, which were then leveraged to get specialist limited or proprietary software for aeronautical engineering and computational fluid dynamics.

The program might potentially be utilized for industrial and military applications, including the creation of sophisticated tactical missiles and aerodynamic design and evaluation of weaponry.

These emails, the U.S. Department of Justice (DoJ) alleged, were sent to employees at NASA, the U.S. Air Force, Navy, and Army, and the Federal Aviation Administration, as well as individuals employed in major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio.

The social engineering efforts, which began around January 2017 and proceeded until December 2021, also targeted private sector businesses that specialize in the aerospace area.

The false communications pretended to be sent by a colleague, acquaintance, friend, or other members in the research or engineering community, urging potential targets to give or make accessible source code or software that they had access to. The DoJ did not divulge the identity of the program or the defendant's present location.

"Once again, the FBI and our partners have demonstrated that cyber criminals around the world who are seeking to steal our companies' most sensitive and valuable information can and will be exposed and held accountable," said Keri Farley, Special Agent in Charge of FBI Atlanta.

"As this indictment shows, the FBI is committed to pursuing the arrest and prosecution of anyone who engages in illegal and deceptive practices to steal protected information."

Coinciding with the indictment, the DoJ also unsealed a separate indictment against Chinese national Jia Wei, a member of the People's Liberation Army (PLA), for infiltrating an unnamed U.S.-based communications company in March 2017 to steal proprietary information relating to civilian and military communication devices, product development, and testing plans.

"During his unauthorized access, Wei and his co-conspirators attempted to install malicious software designed to provide persistent unauthorized access to the U.S. company's network," the DoJ stated. "Wei's unauthorized access continued until approximately late May 2017."

The development comes weeks after the U.K. National Crime Agency (NCA) announced that three men, Callum Picari, 22; Vijayasidhurshan Vijayanathan, 21; and Aza Siddeeque, 19, pleaded guilty to running a website that enabled cybercriminals to bypass banks' anti-fraud checks and take control of bank accounts.

The site, branded OTP.agency, allows monthly members to socially engineer bank account holders into providing legitimate one-time-passcodes, or divulge their personal information.

The underground service is claimed to have targeted approximately 12,500 members of the public between September 2019 and March 2021, when it was taken down after the three were arrested. It's presently not known how much unlawful income the organization made over its duration.

"A basic package costing £30 a week allowed multi-factor authentication to be bypassed on platforms such as HSBC, Monzo, and Lloyds so that criminals could complete fraudulent online transactions," the NCA stated. "An elite plan cost £380 a week and granted access to Visa and Mastercard verification sites."