Italian police arrested Xu Zewei, a 33-year-old from Shanghai, at an airport in Milan on July 3.
U.S. officials had issued an arrest warrant for him, accusing him of being part of a Chinese state-backed hacking group that infiltrated a Texas university to steal information related to COVID-19 vaccine research.
The Justice Department confirmed the arrest and unsealed a nine-count indictment against Xu and his co-defendant Zhang Yu, detailing their alleged involvement in a series of computer intrusions that took place between February 2020 and June 2021.
This included the notorious HAFNIUM cyber campaign, which compromised thousands of computers globally, including many in the United States.
According to prosecutors, Xu conducted these hacking operations under the direction of China’s Ministry of State Security and Shanghai State Security Bureau, both critical components of China’s intelligence apparatus.
The indictment alleges that Xu played a significant role in targeting an unnamed university in Texas in 2020, with the intent to steal research related to a COVID-19 vaccine.
Court documents indicate that Xu was heavily involved in cyberattacks carried out by the group known as HAFNIUM, which has been active for years, attacking U.S. government agencies and other large organizations.
U.S. Attorney Nicholas Ganjei of the Southern District of Texas expressed that authorities have awaited the opportunity to apprehend Xu for years.
A warrant for his arrest was filed in November 2023 in the U.S. District Court for the Southern District of Texas, indicating the long-term nature of the investigation.
“In February 2020, as the world entered a pandemic, Xu Zewei and other cyber actors working on behalf of the Chinese Communist Party targeted American universities to steal groundbreaking COVID-19 research,” said Brett Leatherman, Assistant Director of the FBI’s Cyber Division.
He highlighted that through the HAFNIUM group, the Chinese Communist Party targeted over 60,000 entities in the U.S., successfully victimizing more than 12,700 in the process.
Court filings disclosed that Xu was directed to target specific email accounts belonging to virologists and immunologists engaged in crucial COVID-19 research at a Texas university as early as February 22, 2020.
Prosecutors claim that Xu reported back to his superiors, confirming that he had successfully compromised the network of the research university.
The indictment underscores a pattern where U.S. agencies and researchers have accused Chinese hackers of targeting institutions researching COVID-19 vaccines as nations scrambled for solutions during the global pandemic that erupted in 2020.
Later in 2021, prosecutors allege that Xu and other hackers were deeply involved in attacks on Microsoft Exchange Servers often referred to as the Hafnium attacks.
Victims that fell prey to Xu’s initiatives included another university in Texas and law firms worldwide.
Court documents revealed messages from Xu to his superiors affirming that he had breached the university’s network, showcasing a trail of malicious activities.
In one incident involving a law firm, Xu was given specific instructions to search mailboxes for phrases like “Chinese sources,” “MSS,” and “HongKong,” as well as data related to specific U.S. policymakers and governmental bodies.
Xu is set to face an extradition hearing shortly, during which his lawyer intends to contest the U.S. request, arguing that Xu’s name is common in China, thus making it more difficult to associate him definitively with the crimes alleged.
If convicted on all counts, Xu could face a lengthy prison sentence of up to 77 years.
Meanwhile, his co-conspirator Zhang Yu remains at large, further complicating the case.
Xu’s wife, who accompanied him during his travels, insisted that her husband is not a hacker and instead works as an IT technician for a company named GTA Semi Conductor.
The DOJ emphasized that Xu worked for Shanghai Powerock Network at the time of his alleged cyberattacks, raising concerns that China employs a range of private companies to conduct state-backed hacking missions.
This tactic allows the Chinese government to maintain plausible deniability regarding such intrusion campaigns.
“Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cashed in on identifying vulnerable systems, exploiting them, and then relaying valuable information, either directly or indirectly, to the Chinese government,” the Justice Department stated in their release.
The DOJ report concluded that such indiscriminate methodologies result in increased victims across the United States and abroad, leaving systems broadly exploited and information stolen, often lacking significant interest to the Chinese government, hence sold to external parties.
image source from:therecord