NASA OIG: Chinese Spear-Phishing Campaign Targeted Defence Software Over Four Years

A newly published NASA Office of Inspector General report confirms that Chinese national Song Wu conducted a four-year spear-phishing campaign targeting NASA employees, US military personnel, FAA staff, and university researchers — with the goal of stealing proprietary aerospace and defence software source code.

What Happened

The OIG report, published 24 April 2026, details a campaign that ran from approximately 2017 to 2021. Song Wu, employed by China’s Aviation Industry Corporation of China (AVIC), crafted spear-phishing emails impersonating legitimate colleagues and collaborators at target organisations. The emails requested recipients share specific software tools used in aerospace engineering, computational fluid dynamics, and structural analysis — all with direct military and dual-use applications.

Targets spanned NASA centres including Langley, Glenn, and Goddard, alongside personnel at the Air Force Research Laboratory, Office of Naval Research, and multiple US universities with defence research programmes. The targeted software is subject to US export control regulations under ITAR and EAR, making theft equivalent to an arms export violation.

Why It Matters

Three aspects of this case are instructive for security practitioners today. First, the campaign succeeded against technically sophisticated targets at aerospace and defence organisations — demonstrating that spear-phishing remains effective even where security awareness training is mandated. Second, the software targeted represents years of taxpayer-funded R&D with direct dual-use applications. Third, the four-year operational duration before detection signals that persistent, low-volume spear-phishing evades detection frameworks tuned for high-velocity threats.

For security teams at defence contractors and universities participating in research partnerships, this case is a precise template for what targeted intellectual property theft looks like operationally: low volume, highly personalised emails, requesting files rather than credentials, targeting individuals with legitimate access to the desired material.

Recommended Actions

• Audit software sharing workflows — if your organisation distributes proprietary engineering or research software via email on request, implement a formal approval and logging process requiring management sign-off for every external transfer.
• Implement DLP controls on source code and simulation software packages — ensure large archives containing proprietary tools trigger review before external transmission.
• Review export control compliance training — organisations handling ITAR/EAR-controlled software should verify that all personnel with access understand what constitutes a controlled export and what requests are suspicious.
• Deploy email authentication with strict policies — DMARC reject policy combined with DKIM and SPF makes colleague impersonation significantly harder from external domains.
• Establish a secure channel for software sharing requests — mandate all requests for proprietary software go through an authenticated internal portal rather than direct email, removing the social engineering attack surface.

Broader Context

China’s AVIC has been the subject of multiple IP theft investigations. This case follows a pattern of Chinese state-linked actors targeting aerospace, semiconductor, and energy sector intellectual property via patient, targeted social engineering rather than technical exploitation. The OIG report serves as a reminder that the human element remains the most reliable initial access vector for nation-state actors operating against hardened technical targets — and that detection programmes must account for long, low-volume campaigns, not just acute threat activity.