Chinese Hacker Linked to Silk Typhoon Charged With Stealing COVID Data
U.S. prosecutors want to extradite a 33-year-old Chinese national back to the United States to face charges for allegedly participating in Beijing state-sponsored cyberespionage operations that included hacking into a university in Texas in 2020 to steal information about COVID-19 vaccines and the widespread attack on Microsoft Exchange Servers in 2021 by the group Silk Typhoon.
Xu Zewei was arrested last week in Milan’s Malpensa Airport by Italian law enforcement acting on a warrant from the U.S. Justice Department (DOJ), according to Italian news service ANSA.
Xu and a co-defendant, Zhang Yu, are named in a nine-count indictment that was unsealed this week, accusing them of participating in the hacking of universities, virologists, and immunologists working on COVID-19 vaccines and treatments between February 2020 and June 2021.
Prosecutors also state that, starting in late 2020, Xu was part of the group known as Silk Typhoon, also referred to as Hafnium, which exploited a vulnerability in Microsoft Exchange Server. Silk Typhoon is one of several high-profile Chinese state-sponsored espionage groups that for years have targeted government agencies and critical infrastructure in the United States and elsewhere.
The indictment charges Xu and Yu with a range of crimes, including conspiracy, wire fraud, obtaining information by unauthorized access and intentional damage to a protected computer. Yu remains at large.
Microsoft Exchange Server Compromise
The compromise of Microsoft Exchange Server kicked off a campaign in 2021 aimed at thousands of computers around the world that became publicly known as the Hafnium attacks. After exploiting the vulnerabilities, Xu and unnamed co-conspirators installed web shells on them that let them remotely control the systems. Microsoft disclosed the massive intrusion campaign in March 2021.
“In February 2020, as the world entered a pandemic, Xu Zewei and other cyber actors working on behalf of the Chinese Communist Party (CCP) targeted American universities to steal groundbreaking COVID-19 research,” Assistant Director Brett Leatherman of the FBI’s Cyber Division said in a statement. “The following year, these same actors, operating as a group publicly known as HAFNIUM, exploited zero-day vulnerabilities in U.S. systems to steal additional research.”
Leatherman said the Hafnium campaign targeted more than 60,000 U.S. entities, successfully victimizing more than 12,700 of them, with the goal of stealing sensitive information. Among the victims were another Texas university and a law firm with offices around the world, including Washington D.C.
Chinese Government’s Hacking Operations
News of Xu’s arrest comes four months after the DOJ charged 12 Chinese nationals in a sprawling indictment that outlined in detail the operations by the Chinese government as agencies like the Ministry of Public Security (MPS) and Ministry of State Security (MSS) essentially ran a hacker-for-hire operation that involved contract hackers and Chinese companies as part of espionage campaigns against U.S. federal and state government agencies, dissidents and critics of the Chinese government in the United States, and the foreign ministries of such countries as Taiwan, South Korea and India.
That said, the DOJ has been after Xu for years, with the indictment being handed up in November 2023 but kept sealed until this week. When running his hacks on computers, Xu worked for a company named Shanghai Powerock Network Co. Ltd., which the DOJ said was “one of many ‘enabling’ companies in the PRC [People’s Republic of China] that conducted hacking for the PRC government.”
He was directed to conduct the attacks by the MSS and Shanghai State Security Bureau (SSSB), another PRC intelligence agency, according to the indictment.
“This arrest caps off over a decade of indictments and other law enforcement efforts that were usually recognized as symbolic,” said John Hultquist, chief analyst with Google Threat Intelligence Group (GTIG). “It has been generally accepted that these actors would never see the inside of a courtroom. This is a good reminder that patience can be rewarded.”
That said, the impact won’t be immediate, Hultquist added.
“There are several teams composed of dozens of operators who are going to continue to carry out cyberespionage,” he said. “Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work.”
Targeting COVID-19 Researchers
Prosecutors have collected detailed information about Xu’s involvement in both the hacking of COVID-19 researchers and the exploitation of Microsoft Exchange Servers. On February 19, 2020, Xu confirmed to an SSSB offer that he had compromised the network of a Texas research university. Three days later, the SSSB officer told Xu to access the email accounts of virologists and immunologists researching COVID-19 at the schools, with Xu later confirming he’d gotten the contents of those mailboxes.
China wasn’t alone in such operations, GTIG’s Hultquist said, noting that cyberespionage actors based in Iran, Russia, and North Korea also targeted government, academic, and biotech targets looking for information on treatments.
In the Hafnium campaign, Xu confirmed on January 30, 2021, that he had compromised another university’s network and updated an SSSB officer a month later about his intrusions. Xu also stole information from email accounts and searched them for information about U.S. policy makers and government agencies, with search terms including “Chinese sources,” “MSS,” and “HongKong.”
Microsoft has continued to track Silk Typhoon, noting in a report in March that the group was changing tactics to target common IT solutions like remote management tools and cloud applications as avenues for gaining initial access into corporate networks and attacking IT supply chains. The targets include remote management and monitoring (RMM) vendors, MSPs, and companies in such sectors as healthcare, defense and government.
Family Denies Charges
According to the Italian news agency ANSA, the extradition hearing for Xu was scheduled to take place on July 7. His family told Italian authorities that Xu works as an IT manager at Shanghai GTA Semiconductor and that his getting an entry visa into Italy was confirmation that he hadn’t committed a crime.
His lawyer, Enrico Giarda, told reporters after a hearing before an appeals court that Xu suggested someone may have hacked into his account and that his mobile phone was stolen in 2020. Giarda also noted that his client’s surname is a common one in China.
