Chinese Hacker Extradited to U.S. for Pandemic Cyber Espionage Campaign Against 13,000 Organizations

A Chinese national accused of participating in a state-sponsored cyber espionage campaign that compromised nearly 13,000 U.S. organizations during the pandemic has been extradited from Italy to the United States and formally charged in federal court, the U.S. Department of Justice announced on Monday.

Xu Zewei, along with co-conspirator Zhang Yu (still at large), is alleged to have exploited multiple zero-day vulnerabilities in Microsoft Exchange Server to steal research on COVID-19 vaccines, treatments, and testing protocols during the initial wave and peak of the pandemic. The attacks were allegedly directed by China’s intelligence services as part of a broader espionage operation known as HAFNIUM, which targeted infectious disease experts, law firms, universities, defense contractors, and policy think tanks.

The threat group behind these attacks, now widely referred to as Silk Typhoon, has since expanded its operations to target customers of Microsoft and other vendors.

"Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations."

Leatherman added:

"He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk."

According to court records, Xu allegedly carried out the attacks while employed by Shanghai Powerock Network, a company identified as one of many that conduct cyber operations on behalf of China’s intelligence services. Italian authorities arrested Xu in Milan in July at the request of U.S. officials. His capture highlights the strategic advantage U.S. agencies and allies gain when nation-state threat actors travel to countries that cooperate with extradition requests.

Italy extradited Xu to the U.S. on Saturday, though his extradition order was not publicly released until Monday, Simona Candido, his attorney in Italy, told CyberScoop.

Monday marked Xu’s first appearance in the U.S. District Court for the Southern District of Texas, where he is currently being held at a federal prison in Houston.

"We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people."

Prosecutors allege that Xu operated under the direction of China’s Ministry of State Security’s Shanghai State Security Bureau, infiltrating U.S. organizations’ networks to steal data, implant webshells for persistent remote access, and exfiltrate information related to U.S. policymakers and government agencies from a global law firm with offices in Washington.

Microsoft first disclosed the HAFNIUM campaign in March 2021, warning customers about the exploitation of vulnerabilities in Microsoft Exchange Server. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) subsequently issued a joint advisory detailing the widespread compromise of Microsoft Exchange Server systems.