From Shanghai to Houston: The HAFNIUM Hacker Who Stole Vaccine Secrets Faces Justice
Ddos 
This past weekend, Xu Zewei (徐泽伟), a 34-year-old national of the People’s Republic of China (PRC), was extradited to the United States. He appeared in a Houston federal court today to face a nine-count indictment that links him to the notorious HAFNIUM intrusions and the targeting of critical pandemic research.
The indictment shows of how the PRC’s Ministry of State Security (MSS) operates. Rather than using only “in-house” military hackers, the MSS allegedly utilizes “enabling” private companies to obscure their tracks.
Xu was reportedly an employee of Shanghai Powerock Network Co. Ltd., a firm described by the DOJ as a front for state-sponsored activity. Working alongside his co-conspirator Zhang Yu, who remains at large, Xu is alleged to have operated under the direct supervision of the Shanghai State Security Bureau (SSSB).
Assistant Director Brett Leatherman of the FBI’s Cyber Division highlighted the scale of this operation, “Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations.”
Between February 2020 and June 2021—the height of the global pandemic—Xu allegedly targeted the very people working to end it.
According to court documents, Xu and his team compromised the networks of U.S. universities and specifically targeted the email accounts of virologists and immunologists conducting COVID-19 vaccine research. In one instance on February 22, 2020, an SSSB officer allegedly ordered Xu to access specific mailboxes of researchers to exfiltrate their findings.
Beyond the specialized theft of medical research, Xu is tied to the massive HAFNIUM campaign that exploited zero-day vulnerabilities in Microsoft Exchange Server.
The group’s methodology followed a clear pattern:
- Exploitation: Leveraged vulnerabilities to gain initial access.
- Persistence: Installed web shells for remote administration (a signature of HAFNIUM actors at the time).
- Exfiltration: Searched compromised law firms and universities for sensitive policy data.
The indictment reveals that Xu used specific search terms like “Chinese sources,” “MSS,” and “HongKong” to filter through stolen emails, indicating a focus on political intelligence alongside corporate and scientific secrets.
Xu’s journey to a U.S. courtroom was made possible through international cooperation. He was initially arrested in Milan by the Italian Polizia Postale before the extradition process began.
As it stands, Xu faces a litany of charges, including:
- Conspiracy to commit wire fraud (Max 20 years per count)
- Intentional damage to a protected computer (Max 10 years per count)
- Aggravated identity theft (Mandatory 2 years)
The legal proceedings continue as the FBI continues its search for Xu’s partner, Zhang Yu.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
