Analysis Summary

A Chinese national, Song Wu, has been indicted in the U.S. for running a spear-phishing campaign targeting NASA, research universities, and private companies to gain unauthorized access to software and source code.

He is charged with 14 counts of wire fraud and 14 counts of aggravated identity theft. If convicted, he faces up to 20 years for each count of wire fraud and two additional years for identity theft. Wu was an engineer at the Aviation Industry Corporation of China (AVIC), a state-owned aerospace and defense conglomerate. AVIC which has been under U.S. sanctions since 2020, is a large entity with over 400,000 employees.

According to the report, Wu's spear-phishing campaign, which lasted from January 2017 to December 2021, involved impersonating U.S.-based researchers and engineers through fraudulent email accounts. The emails targeted employees at NASA, the U.S. military, and major research universities aiming to acquire restricted aerospace engineering software with both industrial and military applications, including advanced missile development.

Wu's emails often impersonated colleagues or members of the research community to trick recipients into sharing proprietary software or source code. The Department of Justice (DoJ) did not reveal the software's name or Wu's current whereabouts.

In a related case, the DoJ also unsealed an indictment against Jia Wei, a Chinese national and member of the People’s Liberation Army (PLA). Wei infiltrated a U.S. communications company in March 2017, stealing proprietary information related to civilian and military communication devices. Along with his co-conspirators, Wei attempted to install malicious software to maintain persistent unauthorized access to the company's network. His unauthorized access lasted until May 2017, after which he and his associates were identified.

These developments highlight the continued efforts by U.S. law enforcement to expose and prosecute cybercriminals who steal sensitive information. The FBI emphasized the bureau's commitment to pursuing such criminals, noting that international actors engaging in cyber theft will be exposed and held accountable. The spear-phishing tactics employed by Wu reflect a growing trend of cyber espionage targeting critical sectors like aerospace and defense.

In a separate case, the U.K.'s National Crime Agency (NCA) announced that three men were found guilty of operating a service called OTP.agency which allowed cybercriminals to bypass anti-fraud checks by socially engineering bank account holders. The service targeted over 12,500 people between 2019 and 2021, enabling criminals to bypass multi-factor authentication for various banks and complete fraudulent transactions. The NCA shut down the operation in March 2021 after the trio's arrest, though the total illegal revenue generated remains undisclosed.

Impact

• Cyber Espionage
• Sensitive Information Theft
• Unauthorized Access
• Identity Theft

Remediation

• Conduct regular, comprehensive cybersecurity training programs for employees, focusing on spear-phishing recognition and avoidance. Simulate phishing attacks to test awareness and response.
• Enforce multi-factor authentication (MFA) for all critical systems, including email, source code repositories, and proprietary software, to reduce the risk of unauthorized access.
• Apply the principle of least privilege, ensuring that only authorized personnel have access to sensitive software and source code. Regularly review and audit access control policies.
• Use advanced email filtering systems that detect and block phishing attempts, especially those involving domain spoofing and impersonation tactics.
• Employ continuous network monitoring tools to detect unauthorized access or unusual activity. Regularly audit system logs for any indicators of compromise (IoCs) or anomalous behavior.
• Deploy EDR solutions to detect and respond to malicious activity on endpoints, particularly those involving attempts to exfiltrate sensitive data.
• Ensure timely patching of software vulnerabilities in operating systems, email servers, and security tools to reduce the risk of exploitation by cybercriminals.
• Establish protocols for quickly reporting cyber incidents to relevant authorities, like the FBI or other national agencies, to assist with tracking and mitigating cybercriminal activities.
• Perform periodic penetration testing and vulnerability assessments to identify and address weaknesses in the security infrastructure.
• Leverage real-time threat intelligence feeds to stay informed about new phishing campaigns and tactics targeting industries like aerospace and defense.