Industrial Espionage in Aerospace: The Song Wu Spear-Phishing Campaign

May 16, 2026

The multi-year spear-phishing campaign orchestrated by Chinese national Song Wu represents a sophisticated, targeted effort to compromise U.S. aerospace defense assets. Operating as an engineer for the state-owned Aviation Industry Corporation of China (AVIC), Wu successfully manipulated the inherent trust within the American research community to illicitly acquire export-controlled software and proprietary source code critical to military advancement.

Unlike traditional financially motivated cybercriminals, Wu was a highly educated industry professional whose efforts directly aligned with foreign military objectives. Wu was employed as an engineer at the Aviation Industry Corporation of China (AVIC). Headquartered in Beijing, AVIC is a massive state-owned aerospace and defense conglomerate with over 400,000 employees. It designs and manufactures civilian and military aircraft for the People's Liberation Army (PLA) and sits prominently on U.S. sanctions and export-restriction lists. Using his specialized knowledge of aerospace software, Wu knew exactly what tools AVIC required to bypass expensive R&D phases for advanced weaponry.

 Between 2017 and 2021, Wu systematically targeted individuals across NASA, the U.S. military, prominent research universities, and private defense firms. Rather than relying on complex network intrusions or malware, his strategy centered on highly calculated social engineering. By creating deceptive lookalike email accounts, he successfully impersonated trusted U.S.-based professors and aerospace engineers. Wu used these fraudulent personas to request specialized software suites, focusing heavily on Computational Fluid Dynamics (CFD) and aerodynamic design tools. In the defense sector, these specific applications are critical for modeling hypersonic flight, assessing advanced weapon systems, and developing next-generation tactical missiles.

The scheme unraveled following a joint investigation by the NASA Office of Inspector General and the FBI, which identified several distinct operational anomalies. Investigators noted that Wu frequently made repetitive requests for identical software packages, offered vague or shifting justifications for his access needs, and consistently attempted to bypass standard, audited software distribution protocols.

In September 2024, a federal grand jury in the Northern District of Georgia indicted Wu on 14 counts of wire fraud and 14 counts of aggravated identity theft. Each wire fraud count carries a maximum penalty of 20 years in prison, while the identity theft charges carry mandatory, consecutive two-year sentences. Because Wu remains at large and is believed to be in China, he has been placed on the FBI’s Cyber Most Wanted list, with federal warrants actively out for his arrest.

This case highlights a critical point of vulnerability in national security: the exploitation of professional relationships and human trust. Security analysts warn that while traditional network infrastructure remains heavily fortified, the human element continues to be a primary vector for industrial espionage. Furthermore, counterintelligence agencies note that the manual research and personalization Wu utilized over his four-year campaign will likely become cheaper and more scalable for foreign adversaries through the integration of generative AI technologies, making strict adherence to export control verification and email vigilance more vital than ever.

Broad Impact & The Future of Defense Cyber-Security

 The Song Wu case highlights a dangerous vulnerability in national security: the human element. Cyber security analysts note that while billions are spent protecting firewalls, a simple email from a "friend" can completely bypass those defenses.

Furthermore, intelligence officials warn that the playbook Wu utilized—which required manual research and drafting over four years—will likely be scaled exponentially in future espionage attempts through the integration of Generative AI. AI tools will allow future threat actors to clone a researcher's exact writing style and launch highly personalized spear-phishing campaigns at machine-speed across thousands of defense targets simultaneously.