A Chinese hacker accused of helping to steal COVID-19 research and launch a sweeping global cyberattack has been arrested in Italy and faces extradition to the United States, the Justice Department said Monday.
Xu Zewei, 33, was taken into custody July 3 in Milan at the request of U.S. authorities. He and his alleged co-conspirator, Zhang Yu, 44, remain charged in a nine-count indictment unsealed in federal court in Houston. Zhang is still at large.
Prosecutors say Xu worked under orders from China’s Ministry of State Security, the country’s intelligence service, and carried out hacks through his company, Shanghai Powerock Network Co. Ltd. He is accused of stealing sensitive data from U.S. universities and researchers developing COVID-19 vaccines and treatments at the height of the pandemic.
According to court documents, in February 2020, Xu hacked into the network of a research university in Texas and was later directed by Chinese intelligence officials to access email accounts of virologists and immunologists working on COVID-19 research. He allegedly provided the stolen contents of those accounts back to his handlers.
Xu is also accused of playing a key role in the so-called HAFNIUM cyber campaign, which exploited vulnerabilities in Microsoft Exchange Server starting in late 2020. That operation compromised thousands of computers worldwide, including systems belonging to another Texas university and a global law firm with offices in Washington, D.C. After breaking into those systems, Xu and others allegedly installed web shells — software tools that gave them ongoing, remote access — and searched for information tied to U.S. policy makers, government agencies and terms like “Chinese sources” and “HongKong.”
Threat intelligence researchers at Google Cloud recently connected Chinese cyber groups like the one associated with Xu to a broader pattern of exploiting critical vulnerabilities in enterprise software.
In a blog post, Google noted that state-sponsored actors from China, including those tied to the hacking group UNC5221—also known as Silk Typhoon—have specialized in rapidly exploiting so-called zero-day flaws in software such as Ivanti Connect Secure VPN. These campaigns enabled attackers to gain footholds inside government, technology and telecom networks, demonstrating China’s strategic use of cyber tools to pursue espionage and economic advantage.
“This arrest caps off over a decade of indictments and other law enforcement efforts that were usually recognized as symbolic. It has been generally accepted that these actors would never see the inside of a courtroom. This is a good reminder that patience can be rewarded,” said John Hultquist, Chief Analyst at Google’s Threat Intelligence Group.
“Unfortunately, the impact of this arrest won’t be felt immediately. There are several teams composed of dozens of operators who are going to continue to carry out cyberespionage,” continued the analyst. “Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work.”
Xu faces charges including conspiracy to commit wire fraud, unauthorized computer access and aggravated identity theft. If convicted, he could face decades in prison.
Editor’s note: This article was initially written by ChatGPT-4o based on the author’s specific instructions, which included news judgment, fact-checking, and thorough editing before publication.
Related stories: [Weekend Briefing on Jan. 17] Chinese hackers accessed Yellen’s computer in US Treasury breach
Chinese state-sponsored hackers infiltrated the computers of U.S. Treasury Secretary Janet Yellen and other senior officials, accessing unclassified files and sensitive data. More than 400 Treasury devices were compromised, with attackers stealing usernames, passwords and over 3,000 files, including “law enforcement sensitive” data related to the Committee on Foreign Investment in the U.S. (CFIUS). While the breach did not impact classified systems, it targeted Treasury’s roles in sanctions, intelligence and international affairs. READ MORE
