Chinese State-Sponsored Hacker Xu Zewei Arrested in Italy for COVID-19 Research & Exchange Server Hacks

The U.S. Department of Justice (DOJ) has unsealed a nine-count indictment against Xu Zewei (徐泽伟), 33, a Chinese national arrested on July 3 in Milan, Italy, for his alleged role in a sweeping cyberespionage campaign that targeted U.S. research institutions, law firms, and Microsoft Exchange servers at the height of the COVID-19 pandemic.

Xu now faces extradition proceedings after being apprehended at the request of the United States. His co-conspirator, Zhang Yu (张宇), 44, remains at large.

“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” said John A. Eisenberg, Assistant Attorney General for the National Security Division.

According to court documents, Xu worked on behalf of the Ministry of State Security (MSS) of the People’s Republic of China, specifically its Shanghai State Security Bureau (SSSB). The hacking activity was conducted through a front company named Shanghai Powerock Network Co. Ltd., one of many “enabling” contractors aligned with the PRC’s state-sponsored cyber operations.

“Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers… in a manner that obscured the PRC government’s involvement,” the DOJ stated.

From February 2020 to June 2021, Xu allegedly led cyber intrusions as part of HAFNIUM, a notorious hacking group linked to the exploitation of zero-day vulnerabilities in Microsoft Exchange Servers — a campaign that compromised over 60,000 U.S. entities, according to the FBI.

Xu’s campaign began with laser-focused attacks against U.S.-based immunologists, virologists, and university research networks at the onset of the pandemic. The goal: steal sensitive information on COVID-19 vaccines and treatments.

“Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” said Nicholas Ganjei, U.S. Attorney for the Southern District of Texas.

In one documented case, Xu reported to an SSSB officer on February 19, 2020, confirming the successful compromise of a U.S. university network. Three days later, he was directed to “access specific email accounts belonging to virologists and immunologists.” He later confirmed that he had acquired the contents of those mailboxes.

In late 2020 and early 2021, Xu and his co-conspirators escalated their attacks, exploiting zero-day vulnerabilities in Microsoft Exchange Server, leading to one of the most widespread enterprise breaches in recent memory. The group installed custom web shells to remotely control infected systems, stealing email contents and targeting entities ranging from law firms in Washington, D.C. to universities in Texas.

“Through HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information,” said Assistant Director Brett Leatherman of the FBI Cyber Division.

Searches conducted inside compromised law firm networks even included terms like “Chinese sources,” “MSS,” and “HongKong”, indicating a broader intelligence-gathering agenda.

Related Posts:

• Anonymous Italy hacked and deleted the entire 39.4 gigabytes speed camera database
• Sneaky Email Attack Targets Spain, Italy, Portugal with RATty Trojan
• Europol Operation Dismantles Major Euro Counterfeiting Ring