A Chinese citizen has been indicted in the United States on charges of conducting a multi-year “spear-phishing” campaign to gain unauthorized access to software and source code created by the National Aeronautics and Space Administration (NASA), research universities, and private companies.
How the Chinese Engineer Attacked NASA
Song Wu, 39, was charged with 14 counts of wire fraud (including hacking into NASA) and 14 counts of aggravated identity theft; if convicted, he faces a maximum sentence of 20 years in prison for each count of wire fraud and a consecutive two-year sentence for the aggravated identity theft.
Song was employed as an engineer at Aviation Industry Corporation of China (AVIC), a state-owned Chinese aerospace and defense conglomerate founded in 2008 and headquartered in Beijing.
According to information on AVIC’s website, the company has “over 100 subsidiaries, nearly 24 listed companies, and more than 400,000 employees”; in November 2020 and June 2021, the company and some of its subsidiaries were subject to sanctions by the United States, which banned Americans from investing in the company.
Song and the data thefts at NASA and other US agencies
Song allegedly conducted a spear-phishing campaign that involved creating email accounts to impersonate U.S. researchers and engineers, which he then used to obtain classified or proprietary software specializing in aerospace engineering and computational fluid dynamics.
The software could also be used for industrial and military applications, including the development of advanced tactical missiles and the aerodynamic design and evaluation of weapons.
According to the U.S. Department of Justice (DoJ), these emails were sent to employees of NASA, the U.S. Air Force, Navy, Army, and the Federal Aviation Administration, as well as individuals employed by major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio.
The social engineering attempts, which began around January 2017 and continued until December 2021, also targeted private companies operating in the aerospace sector (such as NASA itself).
The fraudulent messages appeared to be sent by a colleague, associate, friend, or other person in the research or engineering community, and requested that victims send or make available source code or software to which they had access; the DoJ did not disclose the name of the software or the current location of the defendant.
“Once again, the FBI and our partners have demonstrated that cybercriminals around the world seeking to steal our companies’ most sensitive and valuable information can and will be exposed and held accountable,” said Keri Farley, Special Agent in Charge of FBI Atlanta.
“As this indictment demonstrates, the FBI is committed to pursuing, arresting and prosecuting anyone who engages in illegal and deceptive practices to steal protected information.”
The US DoJ’s conclusion
Along with the indictment, the DoJ also unveiled another indictment against Jia Wei, a Chinese citizen and member of the People’s Liberation Army (PLA), for infiltrating an unspecified U.S. communications company in March 2017 to steal proprietary information related to civilian and military communications equipment, product development, and test plans.
“During his unauthorized access, Wei and his co-conspirators attempted to install malicious software designed to provide persistent, unauthorized access to the U.S. company’s network,” the DoJ said. “Wei’s unauthorized access continued until approximately the end of May 2017.”
The development comes just weeks after the UK’s National Crime Agency (NCA) announced that three men, Callum Picari, 22; Vijayasidhurshan Vijayanathan, 21; and Aza Siddeeque, 19, had pleaded guilty to running a website that allowed cyber criminals to bypass banks’ fraud checks and take control of bank accounts.
The service, called OTP.agency, allowed monthly subscribers to use social engineering techniques to convince bank account holders to divulge real One-Time Password (OTP) codes or reveal their personal information.
The clandestine service is estimated to have targeted over 12,500 members of the public between September 2019 and March 2021, when it was shut down following the arrest of the three. It is currently unknown how much illegal revenue the operation generated during its time in operation.
“A basic package costing £30 per week allowed you to bypass multi-factor authentication on platforms such as HSBC, Monzo and Lloyds, allowing criminals to complete fraudulent transactions online,” the NCA said. “An elite plan cost £380 per week and granted access to Visa and Mastercard verification sites.”