NASA Employees Targeted by Chinese Phishing Campaign Against Defense Software

NASA's Office of Inspector General (OIG) has disclosed a sophisticated spear‑phishing campaign orchestrated by a Chinese national who masqueraded as a U.S. defense researcher. The operation, detailed in OIG report OIG‑2024‑01, aimed at NASA personnel with privileged access to the Defense Software Factory (DSF), a key DoD contract for developing and deploying mission‑critical software. By impersonating a legitimate researcher from the Software Engineering Institute (SEI), the attacker sent tailored emails to at least a dozen employees, including senior systems engineer James T. Kirk and project manager Linda R. Patel.

The phishing emails delivered a PDF résumé containing an embedded macro that, once enabled, dropped a custom backdoor designated "MysticPulse". The malicious payload communicated with a command‑and‑control (C2) server hosted on a U.S. cloud provider to appear legitimate. Simultaneously, the attackers operated a look‑alike single‑sign‑on portal at the domain "nasa‑login‑service.com" to harvest credentials. The lure also leveraged a reputable third‑party file‑sharing service to host the macro‑enabled document, bypassing basic email filters.

NASA’s Security Operations Center (SOC) detected the intrusion after observing abnormal login patterns from the forged portal and unusual outbound traffic to the C2 infrastructure. Forensic analysis revealed that the adversaries succeeded in exfiltrating source‑code and binary artifacts associated with the DSF, though the compromised accounts were limited to a low‑privilege segment, preventing access to classified systems. The OIG confirmed that the attack vector was a classic supply‑chain spear‑phishing technique, exploiting trust relationships between contractors and agencies.

In response, NASA disabled the offending domain, rotated all affected credentials, and mandated hardware‑based multi‑factor authentication (MFA) for its SSO portals. The OIG recommends that agencies enforce macro‑blocking by default, deploy email sandboxing to inspect attachments in isolation, and adopt continuous domain‑monitoring to catch look‑alike sites. The incident highlights the persistent threat from Chinese APT groups to the defense software supply chain and underscores the need for a zero‑trust security model across the federal landscape.