The Office of Inspector General (OIG) of the U.S. National Aeronautics and Space Administration (NASA) has revealed how a Chinese national posed as a U.S. researcher as part of a spear-phishing campaign to obtain sensitive information from the space agency, as well as from government entities, universities, and private companies, in violation of export control laws.

“For years, NASA employees and research collaborators thought they were simply sharing software with colleagues,” the OIG said in a Thursday release. “Instead, they were emailing sensitive defense technology to a Chinese national who was impersonating U.S. engineers.”

The individual linked to the campaign was outed as Chinese national Song Wu in September 2024, when the U.S. Department of Justice (DoJ) announced charges against him for orchestrating a multi-year campaign that stretched from January 2017 to December 2021 and involved targeting dozens of U.S. professors, researchers, and engineers.

Some of the victims of the campaign were employed at NASA, the Air Force, the Navy, the Army, and the Federal Aviation Administration, while the others worked at major universities and private sector firms.

According to the 2024 indictment, Song was an engineer at the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate founded in 2008. In an attempt to obtain modeling software used for aerospace design and weapons development, Song and his co-conspirators are alleged to have conducted extensive research on their targets by masquerading as friends and colleagues to gain access to proprietary software and source code.

The OIG said the scheme was successful in a handful of cases where victims shared the sensitive information with the imposter accounts managed by Song et al without realizing they were violating U.S. export control laws.

Song has been indicted on counts of wire fraud and 14 counts of aggravated identity theft, and faces a maximum sentence of 20 years in prison for each count of wire fraud. He also faces a two-year consecutive sentence if convicted of aggravated identity theft. The 40-year-old remains at large.

Adding Song to the U.S. Most Wanted List, the U.S. Federal Bureau of Investigation (FBI) said the specialized software could be used for industrial and military applications, including the development of advanced tactical missiles and aerodynamic design and assessment of weapons.

“As phishing campaigns continue to become more sophisticated, there are common clues that can betray scammers and expose their export fraud schemes,” the OIG said. “In Song’s case, he made multiple requests for the same software and did not justify why he needed it.”

“Export control scammers also often suggest unusual payment methods (such as suspicious wire transfers); abruptly change the terms or source of payment; and use unconventional transfer methods to mask their identity and evade shipping restrictions.”