A Chinese national allegedly involved in exploiting vulnerabilities to steal COVID-19 vaccine research and other sensitive data from nearly 13,000 U.S. organizations has been extradited to the United States and formally charged. The Justice Department announced Monday that Xu Zewei faces federal charges related to a widespread cyberattack campaign directed by China’s intelligence services.
Xu and his co-conspirators are accused of using zero-day exploits in Microsoft Exchange Server to access victim networks, aiming to steal sensitive information, including research on COVID-19 vaccines and treatments, during the height of the pandemic. The indictment also names Zhang Yu, who remains at large.
Allegations of HAFNIUM Campaign Involvement
The indictment details Xu’s alleged role in HAFNIUM, a sprawling cyber espionage operation attributed to China. This campaign targeted a wide array of entities, including infectious disease experts, law firms, universities, defense contractors, and policy think tanks. The group is now more widely identified as Silk Typhoon.
“Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations,” stated Brett Leatherman, assistant director of the FBI’s Cyber Division. He added that Xu represents one of many contracted individuals used by the Chinese government to conceal its involvement in cyber operations, with others facing similar risks.
Nation-State Cyber Espionage and Contracted Actors
Court records suggest Xu was employed by Shanghai Powerock Network, a company alleged to have conducted cyberattacks on behalf of various Chinese intelligence agencies. The FBI and other U.S. officials have identified a pattern of China utilizing third-party companies to carry out its cyber-espionage objectives, thereby obscuring direct attribution.
Italian authorities arrested Xu in Milan in July at the request of the United States. This action highlights the effectiveness of international cooperation in apprehending individuals engaged in cybercrimes when they travel. His extradition underscores the U.S. strategy of pursuing alleged perpetrators across continents.
Xu was extradited to the U.S. on Saturday, with his extradition orders becoming public on Monday, according to his Italian attorney. He made his initial appearance in the U.S. District Court for the Southern District of Texas and is currently detained in Houston.
“We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people,” said John G.E. Marck, acting U.S. attorney for the Southern District of Texas. U.S. attorneys have emphasized their commitment to prosecuting those involved in state-sponsored cyber intrusions.
Details of the Alleged Criminal Activity
Authorities allege that Xu operated under the direction of China’s Ministry of State Security’s Shanghai State Security Bureau. His alleged responsibilities included breaching U.S. organizations’ networks, exfiltrating data, and deploying webshells to maintain persistent remote access. The charges also include accusations of stealing information pertaining to U.S. policymakers and government agencies from a global law firm with a presence in Washington.
Microsoft first alerted its customers to the HAFNIUM campaign in March 2021. Subsequently, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory detailing the widespread compromise of Microsoft Exchange Server.
“Today’s law enforcement action demonstrates the real-world consequences of this state-led activity, which is fueled by a vast network of private companies operating under the direction of the Chinese government,” commented Aaron Shraberg, senior team lead of global intelligence at Flashpoint. He noted that the extradition of individuals from cooperating countries signifies a unified global stance against such actions.
Shraberg further stated that the extradition highlights the importance of bringing real-world consequences to individuals engaging in China’s cyber activities, which affect not only Americans but also entities and individuals worldwide. The prosecution of Xu is seen as a significant step in holding state-sponsored actors accountable.
Charges and Potential Penalties
Xu faces multiple charges, including conspiracy to commit wire fraud, wire fraud, conspiracy to cause damage and obtain information via unauthorized computer access, conspiracy to commit identity theft, obtaining information through unauthorized access, intentional damage to protected computers, and aggravated identity theft. The 34-year-old could be sentenced to a maximum of 62 years in prison if convicted.
The legal process for Xu will now proceed in U.S. federal court. The outcome of his trial will be closely watched, particularly for insights into the prosecution of individuals linked to state-sponsored cyber operations and the broader implications for international cyber law enforcement cooperation. The whereabouts and status of Zhang Yu, his alleged co-conspirator, remain a focus for investigators.