A Chinese national has been indicted in the United States on charges of conducting a “multi-year” spear-phishing attack to gain unauthorized access to computer software and source code created by the National Aeronautics and Space Administration (NASA), research universities and private companies.
Song Woo, 39, was charged with 14 counts of wire fraud and 14 counts of aggravated identity theft. If convicted, he faces up to 20 years in prison for each wire fraud count and two consecutive years for each aggravated identity theft count.
He worked as an engineer for Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate founded in 2008 and headquartered in Beijing.
According to information posted on AVIC’s website, the company has “more than 100 subsidiaries, approximately 24 publicly listed companies, and more than 400,000 employees.” In November 2020 and June 2021, the company and some of its subsidiaries were targeted by U.S. sanctions, prohibiting Americans from investing in the company.
Song is said to have created email accounts posing as US-based researchers and engineers and used them to carry out spear-phishing attacks to obtain specialized restricted or proprietary software for aerospace engineering and computational fluid dynamics.
The software can also be used for industrial and military applications, such as the development of advanced tactical missiles and the aerodynamic design and evaluation of weapons.
The Department of Justice (DoJ) alleges that the emails were sent to employees at NASA, the Air Force, Navy, Army and the Federal Aviation Administration, as well as major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana and Ohio.
The social engineering attempts, which began around January 2017 and continued until December 2021, also targeted private companies operating in the aerospace sector.
The fraudulent messages purported to be sent by colleagues, associates, friends, or others in the research or engineering community and asked potential targets to send or provide source code or software to which they had access. The Department of Justice did not disclose the names of the software or the current whereabouts of the defendants.
“The FBI and our partners have once again proven that cybercriminals around the world who seek to steal our companies’ most sensitive and valuable information can be found and held accountable,” said Special Agent in Charge Kelly Farley of the FBI in Atlanta.
“As this indictment demonstrates, the FBI is committed to arresting and prosecuting those who engage in illegal and deceptive conduct to steal protected information.”
At the same time as the indictments, the Department of Justice also unsealed a separate indictment against Jia Wei, a Chinese national and member of the People’s Liberation Army (PLA), who is accused of hacking into an unnamed U.S.-based telecommunications company in March 2017 and stealing proprietary information related to civilian and military communications equipment, product development, and testing programs.
“During the unauthorized access, Wei and his co-conspirators attempted to install malicious software designed to enable persistent unauthorized access to the networks of U.S. companies,” the Justice Department said. “Wei’s unauthorized access continued until approximately late May 2017.”
The development comes just weeks after the UK National Crime Agency (NCA) announced that three men – Karam Pikkali, 22, Vijayasiddhushan Vijayanathan, 21, and Aza Siddiq, 19 – had pleaded guilty to operating a website that allowed cybercriminals to circumvent banks’ anti-fraud checks and take over bank accounts.
The service, called OTP.agency, allowed monthly subscribers to socially engineer bank account holders into revealing real one-time passcodes and divulging personal information.
The underground service is said to have targeted more than 12,500 members of the public between September 2019 and March 2021. Three people were arrested and the service was shut down in March 2021. It is currently unclear how much illegal revenue it generated during this period of activity.
“The basic package, which cost £30 per week, allowed criminals to bypass multi-factor authentication on platforms such as HSBC, Monzo and Lloyds, allowing them to complete fraudulent online transactions,” the NCA said. “The elite plan, which cost £380 per week, allowed access to Visa and Mastercard authentication sites.”
