A Chinese national has been indicted in the U.S. on charges of conducting a "multi-year" spear-phishing campaign to obtain unauthorized access to computer software and source code created by the National Aeronautics and Space Administration (NASA), research universities, and private companies.
Song Wu, 39, has been charged with 14 counts of wire fraud and 14 counts of aggravated identity theft. If convicted, he faces a maximum sentence of a jail term of 20 years for each count of wire fraud and a two-year consecutive sentence in prison for aggravated identity theft.
He was employed as an engineer at the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate founded in 2008 and headquartered in Beijing.
According to information listed on AVIC's website, it has "over 100 subsidiaries, nearly 24 listed companies, and more than 400,000 employees." In November 2020 and June 2021, the company and some of its subsidiaries became the subject of U.S. sanctions, barring Americans from investing in the company.
Song is said to have carried out a spear-phishing campaign that involved creating email accounts to mimic U.S.-based researchers and engineers, which were then utilized to obtain specialized restricted or proprietary software for aerospace engineering and computational fluid dynamics.
The software could also be used for industrial and military applications, including the development of advanced tactical missiles and aerodynamic design and assessment of weapons.
These emails, the U.S. Department of Justice (DoJ) alleged, were sent to employees at NASA, the U.S. Air Force, Navy, and Army, and the Federal Aviation Administration, as well as individuals employed in major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio.
The social engineering attempts, which started around January 2017 and continued through December 2021, also targeted private sector companies that work in the aerospace field.
The fraudulent messages purported to be sent by a colleague, associate, friend, or other people in the research or engineering community, requesting prospective targets to send or make available source code or software that they had access to. The DoJ did not disclose the name of the software or the defendant's current whereabouts.
"Once again, the FBI and our partners have demonstrated that cyber criminals around the world who are seeking to steal our companies' most sensitive and valuable information can and will be exposed and held accountable," said Keri Farley, Special Agent in Charge of FBI Atlanta.
"As this indictment shows, the FBI is committed to pursuing the arrest and prosecution of anyone who engages in illegal and deceptive practices to steal protected information."
Coinciding with the indictment, the DoJ also unsealed a separate indictment against Chinese national Jia Wei, a member of the People's Liberation Army (PLA), for infiltrating an unnamed U.S.-based communications company in March 2017 to steal proprietary information relating to civilian and military communication devices, product development, and testing plans.
"During his unauthorized access, Wei and his co-conspirators attempted to install malicious software designed to provide persistent unauthorized access to the U.S. company's network," the DoJ said. "Wei's unauthorized access continued until approximately late May 2017."
The development comes weeks after the U.K. National Crime Agency (NCA) announced that three men, Callum Picari, 22; Vijayasidhurshan Vijayanathan, 21; and Aza Siddeeque, 19, pleaded guilty to running a website that enabled cybercriminals to bypass banks' anti-fraud checks and take control of bank accounts.
The service, named OTP.agency, allowed monthly subscribers to socially engineer bank account holders into disclosing genuine one-time-passcodes, or reveal their personal information.
The underground service is said to have targeted over 12,500 members of the public between September 2019 and March 2021, when it was taken offline after the trio were arrested. It's currently not known how much illegal revenue the operation generated during its lifespan.
"A basic package costing £30 a week allowed multi-factor authentication to be bypassed on platforms such as HSBC, Monzo, and Lloyds so that criminals could complete fraudulent online transactions," the NCA said. "An elite plan cost £380 a week and granted access to Visa and Mastercard verification sites."