Illustration: Ben Jones
A 33-year-old Chinese national has been taken into custody for his alleged involvement in U.S. computer intrusions between February 2020 and June 2021, including the reckless and indiscriminate HAFNIUM campaign that compromised thousands of computers worldwide.
Authorities took People’s Republic of China (PRC) national Xu Zewei (徐泽伟) into custody in Milan, Italy, as he departed a plane from China at the request of the United States.
Xu is charged along with PRC national Zhang Yu (张宇), 44, in a now unsealed nine-count indictment returned in November 2023. They were both involved in computer intrusions between February 2020 and June 2021 at the direction of officers of the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB), according to the indictment.
The charges allege MSS and SSSB are PRC intelligence services responsible for PRC’s domestic counterintelligence, non-military foreign intelligence and aspects of the PRC’s political and domestic security. When conducting the computer intrusions, Xu worked for Shanghai Powerock Network Co. Ltd., one of many “enabling” companies in the PRC that conducted hacking for the PRC government, according to the charges.
“The indictment alleges that Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” said Nicholas Ganjei, U.S. Attorney for the Southern District of Texas. “The Southern District of Texas has been waiting years to bring Xu to justice and that day is nearly at hand. As this case shows, even if it takes years, we will track hackers down and make them answer for their crimes. The United States does not forget.”
“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” said John A. Eisenberg, Assistant Attorney General for the National Security Division. “The Justice Department will find you and hold you accountable for threatening our cybersecurity and harming our people and institutions.”
“While the world was reeling from a virus that originated in China, the Chinese government plotted to steal U.S. research critical to vaccine development,” said FBI Houston Special Agent in Charge Douglas Williams. “Xu Zewei, an alleged hacker acting on behalf of China’s primary spy agency, targeted COVID-19 data using sophisticated cyber techniques and tradecraft. His landmark arrest by FBI Houston agents in Italy proves that we will scour the ends of the Earth to hold criminal foreign adversaries accountable.”
According to court documents, in early 2020, Xu and his co-conspirators hacked and otherwise targeted U.S. based universities and leading immunologists and virologists conducting ground-breaking research into COVID-19 vaccines, treatment and testing. The charges allege Xu and others reported their activities to officers in the SSSB who were supervising and directing the hacking activities. For example, on or about Feb. 19, 2020, Xu allegedly provided an SSSB officer with confirmation that he had compromised the network of a research university located in SDTX. On or about Feb. 22, 2020, the SSSB officer directed Xu to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the research university, according to the allegations. Xu later allegedly confirmed for the SSSB officer he acquired the contents of the researchers’ mailboxes.
Beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely used Microsoft product for sending, receiving and storing email messages, according to the charges. Their exploitation of Microsoft Exchange Server was allegedly at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as “HAFNIUM.”
In March 2021, Microsoft publicly disclosed the intrusion campaign by state-sponsored hackers operating out of China. In July 2021, the United States and foreign partners attributed the HAFNIUM campaign to the PRC’s MSS, which they and private sector cybersecurity leaders condemned as “indiscriminate,” “reckless,” “irresponsible” and “destabilizing.”
The charges allege victims of Xu’s exploitation of Microsoft Exchange Server were a university located in SDTX and a law firm with offices worldwide, including in Washington, D.C. After exploiting computers running Microsoft Exchange Server, Xu and his co-conspirators allegedly installed web shells on them to enable their remote administration. According to the indictment, these web shells were specific to HAFNIUM actors at the time. As with the earlier COVID-19 research intrusions, Xu and Zhang allegedly worked together on the HAFNIUM intrusions under the supervision and direction of SSSB officers. For example, on or about Jan. 30, 2021, Xu confirmed to Zhang that he had compromised the university’s network, according to the charges, and on or about Feb. 28, 2021, updated an SSSB officer on his successful intrusions. This SSSB officer then directed Xu to obtain a list of other, successful intrusions from a second SSSB officer, according to the allegations. The charges allege unauthorized access to the law firm’s network allowed Xu and his co-conspirators to steal information from mailboxes and search them for information regarding specific U.S. policy makers and government agencies. Their search terms allegedly included “Chinese sources,” “MSS” and “HongKong.”
The announcement of charges against Xu is the latest describing the PRC’s use of an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government’s involvement. Operating from their safe haven and motivated by profit, this network of private companies and contractors in China allegedly cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government. This largely indiscriminate approach can result in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third-parties.
In April 2021, the Justice Department announced a court-authorized operation to remediate hundreds of computers in the United States left vulnerable by HAFNIUM actors.
Xu is charged with two counts of wire fraud and conspiracy to do which all carry possible prison terms of up to 20 years in federal prison. The indictment also includes conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud and to committing identity theft as well as two counts of obtaining information by unauthorized access to protected computers. If convicted on any of those charges, he could receive up to five years, while intentional damage to a protected computer carries a maximum 10-year-possible sentence on either of two counts as charged. For the aggravated identity theft, he could receive another two years which must be served consecutively to any other prison term imposed. All convictions would also have the potential of up to $250,000 as a possible fine.
Zhang remains at large. Anyone with information about his whereabouts is asked to contact the FBI 1-800-CALL-FBI (1-800-225-5324).
The FBI’s Houston Field Office is conducting the investigation.
SDTX Assistant U.S. Attorneys S. Mark McIntyre and John Marck and Deputy Chief Matthew Anzaldi of the National Security Division’s National Security Cyber Section are prosecuting the case.