Justice Department Announces Arrest of Prolific Chinese State-Sponsored Contract Hacker

“The Justice Department announced today that Xu Zewei (徐泽伟), 33, of the People’s Republic of China was arrested on July 3 in Italy at the request of the United States. Xu and his co-defendant, PRC national Zhang Yu (张宇), 44, are charged in a nine-count indictment, unsealed today in the Southern District of Texas, for their involvement in computer intrusions between February 2020 and June 2021, including the indiscriminate HAFNIUM computer intrusion campaign that compromised thousands of computers worldwide, including in the United States. Xu was arrested in Milan, Italy, and will face extradition proceedings.”

“According to court documents, officers of the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking. The MSS and SSSB are PRC intelligence services responsible for PRC’s domestic counterintelligence, non-military foreign intelligence, and aspects of the PRC’s political and domestic security. When conducting the computer intrusions, Xu worked for a company named Shanghai Powerock Network Co. Ltd. (Powerock). Powerock was one of many ‘enabling’ companies in the PRC that conducted hacking for the PRC government.”

“According to court documents, in early 2020, Xu and his co-conspirators hacked and otherwise targeted U.S.-based universities, immunologists, and virologists conducting research into COVID‑19 vaccines, treatment, and testing. Xu and others reported their activities to officers in the SSSB who were supervising and directing the hacking activities. For example, on or about Feb. 19, 2020, Xu provided an SSSB officer with confirmation that he had compromised the network of a research university located in the Southern District of Texas. On or about Feb. 22, 2020, the SSSB officer directed Xu to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the university. Xu later confirmed for the SSSB officer that he acquired the contents of the researchers’ mailboxes.”

“Beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely-used Microsoft product for sending, receiving, and storing email messages. Their exploitation of Microsoft Exchange Server was at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as ‘HAFNIUM.’ In March 2021, Microsoft publicly disclosed the intrusion campaign by state-sponsored hackers operating out of China. Throughout March 2021, Microsoft and other industry partners released detection tools, patches, and other information to assist victim entities in identifying and mitigating this cyber incident. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency released a Joint Advisory on Compromise of Microsoft Exchange Server on March 10, 2021. However, by the end of March 2021, hundreds of web shells remained on certain U.S.-based computers running Microsoft Exchange Server software. In April 2021, the Justice Department announced a court-authorized operation to remediate hundreds of computers in the United States made vulnerable by HAFNIUM actors. In July 2021, the United States and foreign partners attributed the HAFNIUM campaign to the PRC’s MSS.”

“Among the victims of Xu’s exploitation of Microsoft Exchange Server were another university located in the Southern District of Texas and a law firm with offices worldwide, including in Washington, D.C. After exploiting computers running Microsoft Exchange Server, Xu and his co-conspirators installed web shells on them to enable their remote administration. These web shells were specific to HAFNIUM actors at the time. As with the earlier COVID-19 research intrusions, Xu and Zhang worked together on the HAFNIUM intrusions, under the supervision and direction of SSSB officers. For example, on or about Jan. 30, 2021, Xu confirmed to Zhang that he had compromised the other university’s network. Later, on or about Feb. 28, 2021, Xu updated a SSSB officer on his successful intrusions. This SSSB officer then directed Xu to obtain a list of other, successful intrusions from a second SSSB officer. Unauthorized access to the law firm’s network allowed Xu and his co-conspirators to steal information from mailboxes and search them for information regarding specific U.S. policy makers and government agencies. Their search terms included “Chinese sources,” “MSS,” and ‘HongKong.’”

“The announcement of charges against Xu is the latest describing the PRC’s use of an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government’s involvement. Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government. This largely indiscriminate approach results in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third parties.” (Source: US Department of Justice)