Written by: Zachary Cuttito
On September 16, the U.S. Attorney’s Office for the Northern District of Georgia announced that Song Wu, a Chinese national, had been indicted on 14 counts of wire fraud, facing a maximum sentence of 20 years for each count, and 14 counts of aggravated identity theft. Wu is accused of having led a multi-year spear phishing campaign which targeted U.S. agencies, companies and universities in seeking to obtain software and computer code. The campaign involved Wu posing as colleagues, associates and friends of researchers at a variety of organizations, using fake emails asking for them to send the code or software that Wu believed the victim had access to.
Some of the prominent agencies that Wu targeted were the National Aeronautics and Space Administration (“NASA”), the U.S. Army, Navy, Air Force and the Federal Aviation Administration. It comes as no surprise that his targets were heavily involved in the aeronautical field given that Wu worked as an engineer at Aviation Industry Corporation of China–a state-owned aerospace company headquartered in Beijing that manufactures aircraft for both the private sector and military. The computer software that Wu was after was no simple program either, with the prize he had his eyes on being a piece of software that could be used for military applications like the development of advanced tactical missiles. The implications of this kind of software falling into another nation-state’s hands is certainly a national security risk.
What is Spear Phishing?
Spear phishing is a social engineering attack where the cyber actor sends emails across the internet, targeted at an individual with some form of elevated credential at a particular agency or company. The goal is for the target to either click on a link that is set to install malware onto a person’s computer thereby allowing the cyber actor to take over the target’s computer, or for the target to give up their credentials or protected information to the cyber actor that poses as a trusted individual. For the latter example, the spear phisher usually poses as a friend, colleague or supervisor to appear legitimate and authentic, which he or she accomplishes by carefully researching a target for an appreciable amount of time. With widespread use of social media today, it is easy for phishers to research relationships and employment data on anyone with a digital footprint.
Spear-phishing is dangerous for two main reasons. First, prevention measures aren’t very effective. The most common prevention measure relies heavily on educating employees on how to discern and spot phishing emails. The leaders in cyber security such as CrowdStrike, tell employers to watch out for emails containing incorrect email addresses, grammatical or spelling errors, and ones that have a sense of urgency in them. Though, as spear phishing becomes more sophisticated the emails look more legitimate and contain less errors, thereby making it harder for employees to spot a phishing scam. Other than employee awareness, there is really no effective way to stop phishing emails from reaching inboxes.
Second, the costs of phishing are immense and its effects widespread. In 2022, the global cost of cyber-crimes was $8 trillion according to Statista, and the FBI reported that U.S. losses were an estimated $7 billion across 847,376 reported cases as of 2021. According to Verizon’s 2024 Data Breach Investigations Report (DBIR), 68% of a sample size of 10,069 breaches they studied involved a human element, and additionally phishing accounted for 31% of all social engineering breaches, from a sample size of 3,647.
How Is Spear Phishing Prosecuted?
Spear phishing can be prosecuted under a few different crimes depending on what the cyber actor is after. First, if the cyber actor is after data extraction, meaning that the actor is simply seeking to steal data from a target, then it can be charged as a violation of 18 U.S.C. § 1030 the Computer Fraud and Abuse Act (“CFAA”), which criminalizes an individual who knowingly accessed a computer without authorization and through such conduct, obtained information from a “protected computer”, which is one that is used in interstate or foreign commerce. Spear phishing would allow cyber actors to gain unauthorized access to a protected computer through embedding malware into a link that unbeknownst to them installs malware once clicked. Once the phisher has access to the infected computer, the malware typically seeks out sensitive files and then transmits them back to the cyber actor.
Second, if a cyber actor’s goal of the campaign is to steal money from the target, then another way of prosecuting spear phishing is by charging the cyber actor with wire fraud covered under 18 U.S.C. § 1343. To prove that an individual is guilty of wire fraud the prosecution must prove that the individual knowingly and willfully devised a scheme to defraud, with specific intent to defraud and that individual uses interstate wire communications in furtherance of the defraud scheme. In a defrauding spear phishing campaign, once inside a target’s computer through malware, the attacker can access documents containing passwords, or other sensitive financial information that is stored on the computer, or access accounts on the internet through the victim’s stolen credentials. This may look like an attacker logging into someone’s bank account online with stolen credentials and then transferring the money to an offshore account. These are but two ways that spear phishing conduct may be punished criminally, but it is certainly not limited to these ways.
Conclusion
It is unclear at this stage of the investigation how much information Wu has obtained in this spear phishing campaign. However, the U.S. Attorney’s Office and the FBI will continue to investigate the matter in preparation for trial. What these government agencies know for sure, however, is that spear phishing preys on the human factor–the relationships that we make and the trust we give to those we know. No matter what security measures employers have for their computer systems, the human factor is still one of the largest vulnerabilities in today’s society where it is far easier to click a link than to analyze an email.
Sources:
18 U.S.C. § 1030.
18 U.S.C. § 1343.
Ani Petrosyan, Estimated cost of cybercrime worldwide 2018-2029 (in trillion U.S. dollars), Statista (July 30, 2024).
Bart Lenaerts-Bergmans, What is Spear-Phishing? Definition With Examples, CrowdStrike (Nov. 6, 2023).
U.S. Att’y’s Off. N. Dist. of Ga., Chinese National Charged for Multi-Year “Spear Phishing” Campaign (2024).
Verizon, 2024 Data Breach Investigations Report 8, 37 (2024).