Alleged Chinese hacker extradited to US over cyberattacks targeting COVID-19 research
Chinese national Xu Zewei was extradited from Italy to the United States to face charges tied to an alleged cyber espionage campaign that breached thousands of computers worldwide. Xu is charged alongside Zhang Yu, who remains at large.
According to court documents, officers of China’s Ministry of State Security (MSS), including its Shanghai State Security Bureau (SSSB), directed the hacking. Xu allegedly carried out the intrusions while working for Shanghai Powerock Network Co. Ltd., a firm prosecutors describe as part of a network used to conduct hacking for the government.
Prosecutors tie Xu Zewei and his co-conspirators to attacks on US universities and COVID-19 research organizations, where attackers allegedly aimed to obtain data on vaccines, treatments, and testing.
The charges also link the group to the HAFNIUM campaign, which involved exploiting Microsoft Exchange Server vulnerabilities to compromise email servers and gain broader access to victim networks.
Microsoft disclosed the activity in March 2021, leading to security updates and guidance from agencies including the FBI and the CISA.
“Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division.
“He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk,” added Leatherman
Among the victims, prosecutors say, were a university in the Southern District of Texas and a law firm with offices worldwide, including in Washington, D.C.”
“After exploiting computers running Microsoft Exchange Server, Xu and his co-conspirators installed web shells on them to enable their remote administration,” US authorities said.
Xu faces multiple charges, including wire fraud, computer intrusion, and aggravated identity theft, with maximum penalties ranging from two to 20 years in prison depending on the count.
Officials stated that a network of private firms and contractors in China cast a wide net to find vulnerable computers, exploit them, and collect data for sale to the Chinese government.
“This largely indiscriminate approach results in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third parties,” they concluded.