In a significant breakthrough against state-sponsored cyber espionage, the Justice Department today announced the arrest of Xu Zewei, 33, a Chinese national, in Milan, Italy, on July 3.
Xu is charged in a nine-count indictment, unsealed in the Southern District of Texas, for his alleged involvement in a far-reaching computer intrusion campaign directed by China’s Ministry of State Security (MSS), including the theft of critical COVID-19 research and the indiscriminate “HAFNIUM” intrusions that compromised thousands of computers worldwide.
Xu and his co-defendant, Zhang Yu, 44, who remains at large, are accused of conducting computer intrusions between February 2020 and June 2021.
According to court documents, these operations were orchestrated by officers of the MSS’s Shanghai State Security Bureau (SSSB), a key PRC intelligence service.
Xu reportedly worked for Shanghai Powerock Network Co. Ltd., identified as one of many “enabling” companies in China that conduct hacking on behalf of the PRC government.
“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” stated John A. Eisenberg, Assistant Attorney General for the National Security Division.
“The Justice Department will find you and hold you accountable for threatening our cybersecurity and harming our people and institutions.”
The indictment alleges that in early 2020, as the world grappled with the nascent COVID-19 pandemic, Xu and his co-conspirators targeted U.S.-based universities, immunologists, and virologists actively engaged in vaccine, treatment, and testing research.
Evidence shows Xu reported his successes to SSSB officers, with one instance on February 19, 2020, confirming a compromise of a research university in the Southern District of Texas.
CLICK HERE TO READ MORE FROM THE REPUBLICAN VOICE
Days later, an SSSB officer directed Xu to specifically target email accounts of virologists and immunologists at that university, from which he later confirmed acquiring the contents.
Later, in late 2020, Xu and his associates exploited vulnerabilities in Microsoft Exchange Server, leading to the massive “HAFNIUM” campaign.
This campaign, publicly disclosed by Microsoft in March 2021, affected thousands of computers globally, including over 12,700 U.S. entities across various sectors such as law firms and other universities.
The hackers installed “web shells” for remote administration, unique to HAFNIUM actors at the time. Their targets included a law firm with global offices, from which they sought information on U.S. policymakers and government agencies using search terms like “Chinese sources,” “MSS,” and “HongKong.”
Nicholas Ganjei, U.S. Attorney for the Southern District of Texas, emphasized the long-term commitment to justice.
“The indictment alleges that Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” Ganjei said.
“The Southern District of Texas has been waiting years to bring Xu to justice and that day is nearly at hand. As this case shows, even if it takes years, we will track hackers down and make them answer for their crimes. The United States does not forget.”
Assistant Director Brett Leatherman of the FBI’s Cyber Division highlighted the breadth of the HAFNIUM attacks. “Through HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information,” Leatherman stated.
The charges against Xu include conspiracy to commit wire fraud, wire fraud, conspiracy to cause damage to and obtain information by unauthorized access to protected computers, and aggravated identity theft, carrying potential penalties of decades in prison.
While Xu faces extradition from Italy, co-defendant Zhang Yu remains at large, and the FBI is seeking information on his whereabouts. The public is urged to contact the FBI at 1-800-CALL-FBI (1-800-225-5324) with any relevant information.
This arrest further exposes the PRC’s strategy of utilizing private companies and contractors to conduct cyber espionage, obscuring government involvement and creating a wide net for intelligence gathering, often selling stolen information to third parties.
CLICK HERE TO READ MORE FROM THE REPUBLICAN VOICE
The FBI’s Houston Field Office is leading the ongoing investigation, with significant assistance from the Justice Department’s Office of International Affairs.
