Last updated 1 month ago
The United States National Aeronautics and Space Administration (NASA), a government agency, was targeted in a spear-phishing campaign by a Chinese national posing as a U.S. researcher. The Office of Inspector General (OIG) disclosed the incident in April 2026, though the exact discovery date is not specified. The breach affected NASA employees and also targeted other government entities, universities, and private companies, violating export control laws. No specific record count or affected user population is provided.
The attack chain involved spear-phishing emails sent to NASA employees, leveraging social engineering to trick recipients into divulging sensitive information. The threat actor, an unnamed Chinese national, impersonated a legitimate U.S. researcher to gain trust. The compromised data includes sensitive information related to export-controlled technologies, though specific data types such as credentials or personal data are not detailed. No CVEs or specific exploitation techniques are mentioned.
Post-incident, the OIG revealed the findings, but no details on regulatory actions, litigation, ransom payments, or containment milestones are provided in the article.
Spear-phishing campaign where a Chinese national posed as a U.S. researcher to obtain sensitive information from NASA and other entities.
This incident underscores the need for robust phishing awareness training and multi-factor authentication to counter social engineering attacks targeting government employees. NASA's failure to detect the impersonation highlights gaps in identity verification and email security controls, particularly for spear-phishing campaigns that exploit trust in academic or research collaborations.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector
Threat Actor
Continent
Country
Industry
Attack Vector
Threat Actor
MITRE ATT&CK