A Chinese national named Song Wu, employed by a gigantic Chinese state-owned defense conglomerate, was indicted in the Northern District of Georgia on Monday for a scheme to hack U.S. government agencies including NASA, the Army, the Navy, the Air Force, and the Federal Aviation Administration (FAA).
The indictment accused Song of sending “spear phishing emails” to employees of the targeted agencies, as well as private sector contractors and “individuals employed in positions with major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio.”
“Spear phishing” is the dark art of sending very realistic-looking emails to a victim, often tarted up with convincing personal and professional details. When the victim opens attachments to these emails or clicks on links to websites contained within them, the victim’s computer is infected by malware. Some spear phishing attacks forego malware and simply trick the victim into revealing passwords or other valuable data.
Spear phishing attacks are carefully targeted and require a good deal of work by the hacker, who must create emails that look like realistic messages from friends, family, or colleagues of the victim.
According to the Department of Justice (DOJ), Song’s emails “appeared to the targeted victims as having been sent by a colleague, associate, friend, or other person in the research or engineering community.”
“Hi, [victim’s name], I sent Stephen an email for a copy of NASCART-GT code, but got no response right now. He must be too busy. Will you help and sent it to me?” read an example of the phishing emails, with spelling error in the original.
“Hi, [victim’s name] – sorry to bug you early in the morning. Please sent me a copy of the DAC software when you are available to help. FYI, it is urgently needed and please let me know,” read another.
Over the course of several years, Song allegedly attempted to trick his victims into sending him sensitive “source code or software” related to fields such as aerospace engineering and computational fluid dynamics.
“This specialized software could be used for industrial and military applications, such as development of advanced tactical missiles and aerodynamic design and assessment of weapons,” the indictment noted.
Computational fluid dynamics, for example, is employed by aerospace engineers to model airflow around the flight surfaces of aircraft and missiles.
According to the indictment, some of Song’s spear phishing attacks were successful. DOJ did not specify exactly what software he was able to steal, or from whom.
DOJ described Song as a 39-year-old employee of the Aviation Industry Corporation of China (AVIC), an aerospace and defense company based in Beijing and owned by the Chinese government. The indictment repeatedly stated that he was “aided and abetted by persons unknown.”
“AVIC manufactures civilian and military aircrafts and is one of the largest defense contractors in the world,” the indictment noted.
Song’s case is being handled by the Disruptive Technology Strike Force, a multi-agency force established by the Justice and Commerce Departments, the FBI, and the Department of Homeland Security in February 2023 to investigate export violations, smuggling, and information theft by Russia, China, North Korea, and Iran.
Song is the 34th defendant to be indicted through the efforts of the Strike Force since its inception. He was indicted on 14 counts each of wire fraud and aggravated identity theft, with up to 20 years in prison on the line for each wire fraud count. He also faces a minimum two years in prison for identity theft. The indictment stated he conducted his spear phishing attacks from China, so it seems unlikely he will be arrested or brought into a U.S. courtroom.
“Efforts to obtain our nation’s valuable research software pose a grave threat to our national security. However, this indictment demonstrates that borders are not barriers to prosecuting bad actors who threaten our national security,” U.S. Attorney Ryan K. Buchanan said on Monday.