Chinese Phishing Campaign Stole NASA and Defense Software Source Code
NASA's Office of Inspector General disclosed that Chinese national Song Wu allegedly conducted a years-long spear-phishing and impersonation campaign to obtain sensitive aerospace and defense-related software, source code, and other controlled technical information from NASA personnel, other U.S. government agencies, universities, and private companies. U.S. authorities said the operation ran from 2017 through 2021 and relied on fraudulent emails and false identities, with Wu posing as U.S. engineers, friends, and colleagues to persuade victims to share restricted data in violation of export control laws.
The U.S. Department of Justice charged Wu in September 2024 with wire fraud and aggravated identity theft, and the FBI has since placed him on its Most Wanted list. Investigators identified him as an engineer at the Aviation Industry Corporation of China (AVIC) and assessed the stolen software as having both industrial and military applications, including advanced tactical missile development and aerodynamic weapons design, underscoring the campaign's significance for U.S. national security and the defense industrial base.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
NASA OIG publicly discloses details of the campaign
NASA's Office of Inspector General disclosed details of the alleged Chinese phishing operation, including its targeting of NASA personnel and the FBI's assessment that the stolen software had industrial and military applications.
FBI adds Song Wu to Most Wanted list
Following the charges, Song Wu remained at large and was added to the FBI's Most Wanted list in connection with the alleged theft of sensitive aerospace and defense-related technical information.
Song Wu charged with wire fraud and identity theft
In September 2024, the U.S. Department of Justice charged Song Wu, an engineer identified as working for AVIC, with wire fraud and aggravated identity theft for the alleged phishing and impersonation scheme.
Chinese spear-phishing campaign targeted NASA and defense-related entities
From January 2017 through December 2021, Song Wu allegedly conducted a multi-year spear-phishing and impersonation campaign targeting NASA employees, other U.S. government agencies, universities, and private companies to obtain export-controlled aerospace and defense software and source code.
Internet fraud scheme operators charged in Manhattan
The Manhattan U.S. Attorney and FBI announced charges against seven individuals for allegedly engineering a sophisticated internet fraud scheme that infected millions of computers worldwide and manipulated the internet advertising business.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Chinese spear-phishing campaign targets NASA employees | brief | SC Media
scworld.com
Open sourceChinese engineer stole US military and NASA software for years | Malwarebytes
malwarebytes.com
Open sourceChinese spy posed as researcher in spear-phishing campaign targeting NASA to steal defense software
securityaffairs.com
Open sourceNASA Employees Duped in Chinese Phishing Scheme Targeting U.S. Defense Software
thehackernews.com
Open sourceFBI - Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business
fbi.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Espionage Targeting U.S. Government and Technology Talent
U.S. authorities and researchers are highlighting **China-linked espionage** that increasingly leverages online recruitment and employment channels to access sensitive information. Reporting on recent federal cases describes foreign intelligence services posing as consulting firms, research groups, or recruiters to approach current and former U.S. government personnel—often starting via email or job platforms and escalating through staged interviews, fake websites, and payment offers—to solicit **classified or sensitive information**; multiple Justice Department actions in 2025 reportedly involved such virtual-first recruitment approaches. Separately, a former Google engineer, **Linwei Ding**, was found guilty of **economic espionage and trade secret theft** after prosecutors said he exfiltrated over 2,000 pages of confidential AI supercomputing documents (including TPU/GPU architecture details, orchestration software, SmartNIC networking designs, and internal system configurations) and uploaded them to a personal cloud account while maintaining undisclosed ties to China-based companies and engaging with a Shanghai-sponsored talent program. Broader context from CSIS’ long-running survey of Chinese espionage cases underscores that these incidents fit a sustained pattern since 2000 spanning both **human intelligence** and **cyber-enabled theft** targeting U.S. government and commercial technologies, while noting open-source case lists likely undercount the true scope.
Mar 21, 2026
Ex-Google Engineer Convicted of Economic Espionage and AI Trade Secret Theft
A U.S. federal jury convicted former Google engineer **Linwei Ding** (aka **Leon Ding**) on **14 counts** spanning **economic espionage** and **theft of trade secrets** after prosecutors said he stole thousands of confidential Google documents tied to the company’s artificial intelligence technology for the benefit of a China-based startup. The U.S. Department of Justice framed the case as protection of U.S. intellectual property and national security, alleging the theft was intended to advantage the **People’s Republic of China (PRC)**. Reporting indicates Ding began exfiltrating internal materials as early as **May 2022**, including by copying content into the **Apple Notes** app, converting it to PDFs, and uploading it to a personal cloud account. The stolen information reportedly covered sensitive AI infrastructure and chip-related technology, including details associated with Google’s AI supercomputing environment (e.g., data center/cluster management components) and hardware/software used to run AI workloads (including **TPU/GPU systems** and related networking components). Ding was initially indicted in **March 2024**, with subsequent superseding indictments expanding the alleged timeframe and charges; the case is cited as *USA v. Ding*, N.D. Cal., No. `3:24-cr-00141`.
Mar 21, 2026
Italy Extradites Alleged HAFNIUM Hacker Xu Zewei to the United States
Italian authorities extradited Chinese national **Xu Zewei** to the United States over allegations that he took part in a Chinese state-backed hacking campaign linked to **HAFNIUM**, also tracked as **Silk Typhoon**. U.S. prosecutors say Xu and co-defendant **Zhang Yu** conducted intrusions between February 2020 and June 2021 on behalf of China’s **Ministry of State Security** and the **Shanghai State Security Bureau**, including efforts to steal **COVID-19 vaccine and research data** from U.S. universities and researchers. Xu was arrested at Milan’s Malpensa Airport on a U.S. warrant, later transferred to U.S. custody, and is now being held in Houston; he denies the allegations and claims mistaken identity. The indictment also ties Xu to the mass exploitation of previously unknown **Microsoft Exchange** vulnerabilities that began in March 2021, a campaign U.S. authorities say hit more than **60,000** U.S. entities and successfully compromised over **12,700** organizations. Prosecutors allege the victims included defense contractors, law firms, think tanks, universities, and infectious disease researchers, making the case one of the most prominent efforts to bring an alleged Chinese state-linked hacker into U.S. custody. If convicted on all charges, Xu faces up to **77 years in prison**.
May 6, 2026