The Justice Department announced today that Xu Zewei (徐泽伟), 33, of the People’s Republic of China was arrested on July 3 in Italy at the request of the United States. Xu and his co-defendant, PRC national Zhang Yu (张宇), 44, are charged in a nine-count indictment , unsealed today in the Southern District of Texas, for their involvement in computer intrusions between February 2020 and June 2021, including the indiscriminate HAFNIUM computer intrusion campaign that compromised thousands of computers worldwide, including in the United States. Xu was arrested in Milan, Italy, and will face extradition proceedings.
According to court documents, officers of the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking. The MSS and SSSB are PRC intelligence services responsible for PRC’s domestic counterintelligence, non-military foreign intelligence, and aspects of the PRC’s political and domestic security. When conducting the computer intrusions, Xu worked for a company named Shanghai Powerock Network Co. Ltd. (Powerock). Powerock was one of many “enabling” companies in the PRC that conducted hacking for the PRC government.
“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” said John A. Eisenberg, Assistant Attorney General for the National Security Division. “The Justice Department will find you and hold you accountable for threatening our cybersecurity and harming our people and institutions.”
“The indictment alleges that Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” said Nicholas Ganjei, U.S. Attorney for the Southern District of Texas. “The Southern District of Texas has been waiting years to bring Xu to justice and that day is nearly at hand. As this case shows, even if it takes years, we will track hackers down and make them answer for their crimes. The United States does not forget.”
“In February 2020, as the world entered a pandemic, Xu Zewei and other cyber actors working on behalf of the Chinese Communist Party (CCP) targeted American universities to steal groundbreaking COVID-19 research. The following year, these same actors, operating as a group publicly known as HAFNIUM, exploited zero-day vulnerabilities in U.S. systems to steal additional research,” said Assistant Director Brett Leatherman of FBI’s Cyber Division. “Through HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information. This arrest, carried out with our Italian law enforcement partners, demonstrates the FBI’s relentless commitment to holding CCP-sponsored hackers accountable for their crimes.”
According to court documents, in early 2020, Xu and his co-conspirators hacked and otherwise targeted U.S.-based universities, immunologists, and virologists conducting research into COVID‑19 vaccines, treatment, and testing. Xu and others reported their activities to officers in the SSSB who were supervising and directing the hacking activities. For example, on or about Feb. 19, 2020, Xu provided an SSSB officer with confirmation that he had compromised the network of a research university located in the Southern District of Texas. On or about Feb. 22, 2020, the SSSB officer directed Xu to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the university. Xu later confirmed for the SSSB officer that he acquired the contents of the researchers’ mailboxes.
Beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely-used Microsoft product for sending, receiving, and storing email messages. Their exploitation of Microsoft Exchange Server was at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as “HAFNIUM.” In March 2021, Microsoft publicly disclosed the intrusion campaign by state-sponsored hackers operating out of China. Throughout March 2021, Microsoft and other industry partners released detection tools, patches, and other information to assist victim entities in identifying and mitigating this cyber incident. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency released a Joint Advisory on Compromise of Microsoft Exchange Server on March 10, 2021. However, by the end of March 2021, hundreds of web shells remained on certain U.S.-based computers running Microsoft Exchange Server software. In April 2021, the Justice Department announced a court-authorized operation to remediate hundreds of computers in the United States made vulnerable by HAFNIUM actors. In July 2021 , the United States and foreign partners attributed the HAFNIUM campaign to the PRC’s MSS.
Among the victims of Xu’s exploitation of Microsoft Exchange Server were another university located in the Southern District of Texas and a law firm with offices worldwide, including in Washington, D.C. After exploiting computers running Microsoft Exchange Server, Xu and his co-conspirators installed web shells on them to enable their remote administration. These web shells were specific to HAFNIUM actors at the time. As with the earlier COVID-19 research intrusions, Xu and Zhang worked together on the HAFNIUM intrusions, under the supervision and direction of SSSB officers. For example, on or about Jan. 30, 2021, Xu confirmed to Zhang that he had compromised the other university’s network. Later, on or about Feb. 28, 2021, Xu updated a SSSB officer on his successful intrusions. This SSSB officer then directed Xu to obtain a list of other, successful intrusions from a second SSSB officer. Unauthorized access to the law firm’s network allowed Xu and his co-conspirators to steal information from mailboxes and search them for information regarding specific U.S. policy makers and government agencies. Their search terms included “Chinese sources,” “MSS,” and “HongKong.”
The announcement of charges against Xu is the latest describing the PRC’s use of an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government’s involvement. Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government. This largely indiscriminate approach results in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third parties.
Xu is charged with conspiracy to commit wire fraud and two counts of wire fraud, which carries a maximum penalty of 20 years in prison for each count; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft, which carries a maximum penalty of five years in prison; two counts of obtaining information by unauthorized access to protected computers, which carries a maximum penalty of five years in prison; two counts of intentional damage to a protected computer, which carries a maximum penalty of 10 years in prison; and aggravated identity theft, which carries a maximum penalty of two years in prison. Zhang Yu, remains at large. Anyone with information about his whereabouts is asked to contact the FBI at 1-800-CALL-FBI (1-800-225-5324).
The FBI’s Houston Field Office is investigating the case. The Justice Department’s Office of International Affairs provided valuable assistance in securing the defendant’s arrest.
Assistant U.S. Attorneys Mark McIntyre and John Marck for the Southern District of Texas and Deputy Chief Matthew Anzaldi of the National Security Division’s National Security Cyber Section are prosecuting the case. The Justice Department’s Office of International Affairs is handling the extradition.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.