NASA OIG details how Chinese national Song Wu spear-phished aerospace software from NASA, Air Force, Navy, FAA, universities, and private firms over four years by impersonating colleagues

NASA's Office of Inspector General published a retrospective on April 24 detailing how Chinese national Song Wu, an engineer at a state-owned Chinese aerospace and defense conglomerate, ran a multi-year spear-phishing campaign from January 2017 to December 2021. Song impersonated real US engineers known to his targets and asked over email for copies of specific aerospace modeling software and source code that could design or modify weapons platforms. Targets included staff at NASA, US Air Force, Navy, Army, FAA, major universities, and private aerospace firms. Several victims, believing they were helping a friend, sent the requested software - inadvertently violating US export control laws.

Check

Use the NASA OIG release as a case study in awareness training for engineering and research staff who handle export-controlled or proprietary technical artifacts.

Affected

Aerospace, defense, advanced manufacturing, and dual-use research organizations are the named target set, but the technique generalizes. Any organization whose staff regularly share technical artifacts with external collaborators based on personal trust is at risk. Universities and contractors holding ITAR or EAR-controlled materials face both security risk and legal liability for export-control violations.

Fix

Brief engineering staff on the Song Wu pattern: the lure is an email from someone you actually know asking for software you actually have. Require a non-email verification step (voice or video call) for any inbound request for source code or controlled software. Tighten outbound DLP around CAD, source code, and simulation file transfers, with managerial approval above a defined threshold.