A Chinese national extradited from Italy appeared in federal court in Houston on a nine-count indictment alleging he participated in computer intrusions targeting U.S. universities and a global law firm as part of a state-sponsored hacking campaign — including targeting American COVID-19 researchers during the height of the pandemic, the Justice Department announced.
Xu Zewei, 34, of the People’s Republic of China, is charged in connection with alleged computer intrusions carried out between February 2020 and June 2021, according to court documents. Some of those intrusions were part of the HAFNIUM campaign, a large-scale hacking operation attributed to China’s Ministry of State Security that compromised thousands of computers worldwide. A co-defendant, Zhang Yu, 44, also a PRC national, remains at large.
Federal prosecutors and FBI officials said officers of the PRC’s Ministry of State Security’s Shanghai State Security Bureau directed Xu to conduct the hacking while he worked for a Shanghai-based company, Shanghai Powerock Network Co. Ltd., described in court documents as one of many “enabling” firms used to conduct hacking for the Chinese government while obscuring Beijing’s involvement.
In early 2020, according to court documents, Xu and co-conspirators allegedly hacked U.S.-based universities, virologists and immunologists conducting COVID-19 vaccine and treatment research. Prosecutors allege that on or about Feb. 19, 2020, Xu confirmed to an SSSB officer that he had compromised the network of a research university in the Southern District of Texas, and days later was directed to target specific email accounts belonging to COVID-19 researchers at that institution.
Beginning in late 2020, prosecutors allege Xu and his co-conspirators exploited vulnerabilities in Microsoft Exchange Server as part of the HAFNIUM campaign, which Microsoft publicly disclosed in March 2021. Among Xu’s alleged victims were another university in the Southern District of Texas and a global law firm with offices in Washington, D.C. Prosecutors said Xu and Zhang installed web shells on compromised servers and searched stolen mailboxes for references to U.S. policymakers, government agencies, and terms including “Chinese sources,” “MSS,” and “HongKong.”
“The extradition of Xu Zewei demonstrates the FBI’s reach extends well beyond U.S. borders,” said FBI Cyber Division Assistant Director Brett Leatherman, adding that HAFNIUM compromised more than 12,700 U.S. organizations.
Assistant Attorney General for National Security John A. Eisenberg said the United States “is committed to pursuing hackers who steal information from U.S. businesses and universities.”
Xu faces charges including conspiracy to commit wire fraud, wire fraud, unauthorized access to protected computers, intentional damage to protected computers and aggravated identity theft, with maximum penalties ranging from two to 20 years per count. The FBI’s Houston Field Office is investigating.
An indictment is an allegation, and all defendants are presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.
This article was constructed with the assistance of artificial intelligence and published by a member of The Washington Times' AI News Desk team. The contents of this report are based solely on The Washington Times' original reporting, wire services, and/or other sources cited within the report. For more information, please read our AI policy or contact Steve Fink, Director of Artificial Intelligence, at sfink@washingtontimes.com
The Washington Times AI Ethics Newsroom Committee can be reached at aispotlight@washingtontimes.com.
Please read our comment policy before commenting.