A Chinese aerospace engineer, Song Wu, has been implicated in a significant case of international espionage involving the theft of sensitive US military software. Over a period of four years, Wu successfully impersonated US researchers and engineers to solicit proprietary software from NASA, the US military, and various universities. This breach highlights the ongoing threat of social engineering attacks and the need for heightened vigilance among organizations handling sensitive information.

Wu, who worked for the Aviation Industry Corporation of China (AVIC), a state-owned aerospace and defense conglomerate, used fake email accounts to impersonate real US researchers. From January 2017 to December 2021, he targeted individuals at NASA, the Air Force, Navy, Army, and the Federal Aviation Administration, as well as faculty members at US universities. By requesting source code and proprietary software, Wu managed to obtain intellectual property crucial for developing advanced tactical missiles and evaluating weapons performance, thereby violating US export control laws.

The breach was not detected by sophisticated cybersecurity measures but rather through a tip-off to NASA's Cyber Crimes Division. Investigators traced the campaign back to Wu after discovering a Gmail account impersonating an established aerospace professor. The investigation revealed that Wu's requests for software were repetitive and lacked justification, which should have been red flags for the recipients.

The implications of this breach are significant, as it underscores the vulnerability of sensitive information to social engineering attacks. The FBI has highlighted the scale of the threat posed by Chinese hackers, who reportedly outnumber US cyber personnel by a large margin. The use of deepfake technology and other advanced techniques is making impersonation attempts more convincing, posing a growing challenge for cybersecurity professionals.

To mitigate such threats, organizations must strengthen their cybersecurity protocols and provide comprehensive training to employees on recognizing and responding to social engineering attacks. It is essential to establish robust verification processes for requests involving sensitive information and to encourage a culture of vigilance and reporting within the workforce.

Source: https://www.malwarebytes.com/blog/news/2026/04/chinese-engineer-stole-us-military-and-nasa-software-for-years