A multi-year phishing operation targeting the US aerospace and defense sectors has revealed how attackers successfully manipulated trust relationships to obtain sensitive software, including from employees linked to NASA.
According to findings from the NASA Office of Inspector General, a Chinese national orchestrated a sophisticated social engineering campaign by impersonating US-based researchers and engineers. The attacker used carefully crafted emails and fake identities to convince victims they were communicating with legitimate colleagues.
The scheme ran from 2017 through 2021 and targeted a wide range of organizations, including NASA, the US military, federal agencies, universities, and private companies. Victims were approached with requests for access to proprietary aerospace software and source code, often under the pretense of collaboration or academic exchange.
Investigators found that in several cases, targets unknowingly complied, sending controlled or restricted data without realizing the recipient was part of a foreign intelligence-linked operation. The stolen software is believed to have applications in aerodynamic modeling and advanced weapons development, raising national security concerns.
The individual behind the campaign was identified as Song Wu, an engineer associated with a Chinese state-owned aerospace and defense company. US authorities charged him in 2024 with wire fraud and aggravated identity theft. He remains at large and is listed among wanted suspects.
The operation relied heavily on social engineering rather than technical exploits. Attackers invested time in researching targets, building believable personas, and maintaining long-term communication to establish trust. In some instances, repeated requests for software and irregular payment or transfer methods were used, which investigators later highlighted as warning signs.
Officials emphasized that the case demonstrates how even highly technical organizations remain vulnerable to human-focused attacks. By bypassing traditional security controls and exploiting professional relationships, the campaign was able to extract sensitive information without triggering immediate suspicion.
The incident reflects a broader pattern in cyber espionage, where threat actors prioritize credential theft, impersonation, and trust manipulation over direct system compromise. Security experts continue to stress the importance of employee awareness and strict handling procedures for export-controlled technologies to reduce exposure to similar attacks.