Chinese national arrested in Milan after US issues arrest warrant for Hafnium attacks

Police in Italy arrested a 33-year-old accused by U.S. officials of being a member of a Chinese state-backed group allegedly responsible for hacking into a Texas university to steal COVID-19 vaccine information.

Xu Zewei, a 33-year-old from Shanghai, was nabbed at an airport in Milan on July 3, according to Italian news agency ANSA. The outlet said U.S. officials issued an arrest warrant for him on charges of wire fraud, aggravated identity theft and unauthorized access to protected computers. 

The Justice Department confirmed the arrest in a statement, unsealing a nine-count indictment on Tuesday accusing Xu and co-defendant Zhang Yu of being involved in “computer intrusions between February 2020 and June 2021, including the indiscriminate HAFNIUM computer intrusion campaign that compromised thousands of computers worldwide, including in the United States.”

Prosecutors said Xu was ordered to conduct the hacks at the behest of China’s Ministry of State Security (MSS) and Shanghai State Security Bureau (SSSB) — both of which are intelligence services.

The unsealed court documents accused Xu of being part of the team of state-backed hackers that targeted an unnamed Texas university in 2020 to obtain a vaccine for COVID-19. 

Xu, according to the documents, was heavily involved in cyberattacks conducted by Hafnium — which is also known as Silk Typhoon. The group has spent years targeting the U.S. government agencies and other large organizations. 

Nicholas Ganjei, U.S. Attorney for the Southern District of Texas, said prosecutors have waited for years to arrest Xu. The Justice Department filed a warrant for his arrest in the U.S. District Court for the Southern District of Texas in November 2023.

“In February 2020, as the world entered a pandemic, Xu Zewei and other cyber actors working on behalf of the Chinese Communist Party (CCP) targeted American universities to steal groundbreaking COVID-19 research. The following year, these same actors, operating as a group publicly known as HAFNIUM, exploited zero-day vulnerabilities in U.S. systems to steal additional research,” said Brett Leatherman, Assistant Director of the FBI’s Cyber Division. 

“Through HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information.”

Court documents said Xu and other hackers targeted U.S. universities, immunologists and virologists conducting research into COVID-19 vaccines, treatment and testing. Xu and others reported back to supervising officers at the SSSB — including one instance where Xu confirmed that he “had compromised the network of a research university located in the Southern District of Texas.”

The Justice Department said Xu was directed to “target and access specific email accounts belonging to virologists and immunologists engaged in COVID-19 research for the research university” on February 22, 2020.

Xu later confirmed for the SSSB officer that he acquired the contents of the researchers’ mailboxes, according to prosecutors. 

U.S. agencies and researchers have long accused China’s hacking operations of targeting research institutions working on COVID-19 vaccines as much of the world sought solutions to the devastating pandemic that began in 2020. 

Searching inboxes

Later in 2021, Xu and others were heavily involved in the attacks on Microsoft Exchange Servers known by most as the Hafnium attacks. 

Victims of Xu’s targeting of Microsoft Exchange Servers include another university in Texas and law firms worldwide. Prosecutors obtained messages from Xu to his superiors confirming he had breached the university’s network. 

In one breach of a law firm, Xu was ordered to search mailboxes for terms like “Chinese sources,” “MSS” and “HongKong” and other information regarding specific U.S. policy makers and government agencies.

Xu’s extradition hearing is slated to take place on Tuesday and his lawyer said he plans to fight the request, arguing that U.S. officials have the wrong person because his name is common in China. Xu is facing 77 years in prison if convicted on all of the charges. His co-conspirator Zhang Yu is still at large. 

Xu’s wife, who was traveling with him, said he is not a hacker and works as an IT technician for a company called GTA Semi Conductor. 

The DOJ claimed Zewei worked for Shanghai Powerock Network when he conducted the cyberattacks, lending further credence to their wider concern that China is using an array of private companies to launch state-backed intrusion campaigns in an effort to provide plausible deniability for the country’s government. 

“Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government,” the Justice Department said.  

“This largely indiscriminate approach results in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third parties.”