Hacker targets NASA, faces 300+ years behind bars


One man launched a multi-year spear phishing campaign to harvest sensitive information, software, and source code from some of the United States's most powerful institutions.

Cyber schemes like phishing and spear phishing can go undetected for a while, compromising the safety and security of the nation's most valuable institutions.

Spear phishing is a kind of personalized phishing attack that targets a specific individual or group of people.

ADVERTISEMENT

The scammer will usually exploit sensitive information about the individual(s) to make the scam more convincing. Once they’ve lured their victim into a false sense of security, they will extract sensitive information, funds, and other valuable items.

In many cases, criminals who conduct spear phishing or phishing attacks are motivated by money. But in this case, it seems that one Chinese national conducted his scheme for more than just financial gain.

Song Wu, 39, ran a spear phishing campaign for many years to obtain some of the US’s most coveted information.

Wu created false email accounts impersonating US researchers and engineers to infiltrate research institutions – including the National Aeronautics and Space Administration (NASA), US universities, and private companies.

These emails would often look like they’ve come from a colleague or someone with ties to the research or engineering community. From there, Wu would request source code or software from the victim.

The offender then used these false email accounts to obtain specialized and often restricted software for aerospace engineering and computational fluid dynamics. While Wu may have been in it for the money, this specialized software is often used to develop missiles and weaponry.

At the time, Wu was employed as an engineer at the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense corporation. According to the Department of Justice, this organization creates civilian and military aircraft and is one of the largest defense contractors in the world.

Given that Wu worked for a Chinese state-owned aerospace corporation, Wu may have orchestrated this spear phishing campaign to steal software and source code that could later be used to build sophisticated missiles and other weapons for the state.

ADVERTISEMENT

During the campaign, Wu emailed people employed in the United States government, NASA, the US Air Force, the Navy, the Army, and the Federal Aviation Administration, as well as various research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio. All of these institutions work within the aerospace field.

If found guilty of these crimes, this cybercriminal faces a heavy penalty. He could face almost 300 years on the 14 counts of wire fraud alone. However, he has also been charged with 14 counts of aggravated identity theft, which could increase the number of years he is imprisoned.