A smartphone displaying the NASA logo with a blurred larger version of the logo in the background.

Executive Summary

In September, the U.S. Department of Justice indicted a Chinese national on charges of wire fraud and identity theft due to their attempts to fraudulently obtain computer software and source code belonging to NASA, in addition to other research entities and private companies. According to the DOJ statement, the individual utilized aggressive spear-phishing and social engineering tactics to conduct the compromise. The attack involved the use of email accounts that impersonated U.S.-based researchers and engineers to obtain restricted software and proprietary source code. The stolen tools were integral to aerospace engineering and computational fluid dynamics, with applications ranging from civilian research to advanced tactical missile development. The individual’s employer, Aviation Industry Corporation of China, is a state-owned aerospace and defense conglomerate, further underscoring the potential alignment of these activities with state interests.

The incident underscores the continued effectiveness of focused spear-phishing tactics to target even the most high-profile organizations. Even in 2024, spear-phishing remains one of the most effective initial access vectors in cyber campaigns. Its success lies in its targeted and deceptive nature, leveraging social engineering to exploit trust. According to the 2024 Verizon Data Breach Investigations Report, phishing attacks accounted for approximately 25% of breaches, with over 50% of those involving credential theft. Metrics from government sources reinforce this assessment. The FBI’s 2023 Internet Crime Report noted that phishing, including spear-phishing, was the most common attack vector, with nearly 300,000 cases reported resulting in $18 million in reported losses in the U.S. alone. Similarly, CISA highlights phishing in its “Top Routinely Exploited Vulnerabilities” advisory, identifying it as a persistent threat to both public and private sectors.

Spear-phishing tactics are often used alongside social engineering to conduct reconnaissance and espionage operations. Historical data shows that threat actors often target space researchers and organizations for espionage purposes, largely tied to technology exchange and theft of intellectual property. In a report released by the Office of the Director of National Intelligence, officials state that foreign intelligence entities, “see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise.” In the attack against NASA, the targeted software could enhance China’s aerospace and military capabilities, bypassing years of research and development costs. This aligns with broader trends of intellectual property theft driven by government-backed actors, as nation states compete for dominance in space.

This incident is just the latest in a series of cyberattacks targeting NASA, and other entities involved in aerospace research and development. Metrics from a 2024 report published by the US Government Accountability Office state that the space agency has experienced over 6,000 attacks in a four-year span. For example, in 2019, NASA revealed a significant breach where attackers compromised Jet Propulsion Laboratory networks through an unauthorized Raspberry Pi device. The breach raised concerns about supply chain vulnerabilities and endpoint security at the agency. Additional insights from the Space ISAC Watch Center have identified numerous claims of targeting NASA infrastructure in 2024 so far. Most of these attacks are aimed at disrupting NASA public resources or exfiltrating files from NASA databases and selling them on popular leak forums, demonstrating that threat actors of all calibers perceive NASA as a valuable target.

The NASA spear-phishing campaign exemplifies the intersection of state-sponsored espionage, cyber vulnerabilities and technological competition. As NASA and other agencies become increasingly reliant on advanced software for mission-critical operations, they must navigate a persistent threat landscape. By analyzing incidents like this and implementing robust countermeasures, the space industry can better protect its intellectual property and maintain technological confidentiality. The continued focus on spear-phishing highlights the need for a proactive, multi-faceted defense strategy that includes technological, educational, and legal measures. Addressing these challenges will require ongoing collaboration between government entities, private industry and international partners.