The US has announced the arrest of a suspected Chinese state-sponsored hacker, who is accused of involvement in high-profile attacks, including the theft of COVID-19 research from American universities.
The individual has also been linked to and the notorious Hafnium campaign which targeted Microsoft Exchange servers in 2020 and 2021.
The attacks were ordered by People’s Republic of China (PRC) intelligence agencies, according to the US Department of Justice (DoJ).
Chinese national Xu Zewei, aged 33, was arrested on July 3 in Milan, Italy, at the request of the US government.
Xu and his co-defendant, Zhang Yu, have been charged with a nine-count indictment relating to their involvement in computer intrusions between February 2020 and June 2021.
If found guilty on all counts, Xu faces a lengthy prison sentence. Zhang currently remains at large.
Xu worked for a company named Shanghai Powerock Network Co. Ltd. when conducting the attacks.
The US believes the PRC government uses an extensive network of private companies and contractors in China, including Powerock, to infiltrate organizations and steal data in a manner that obscures state involvement.
“Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government,” the DoJ wrote.
“This largely indiscriminate approach results in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third parties.”
COVID-19 Research Data Targeted, Stolen
The indictment, announced on July 8, alleges that Xu stole critical COVID-19 research at the behest of the Chinese government.
This coincided with the time that same government withheld information about the virus and its origins, Nicholas Ganjei, US Attorney for the Southern District of Texas, said.
Court documents claim that in early 2020, Xu and his co-conspirators targeted US-based universities, immunologists and virologists conducting research into COVID‑19 vaccines, treatment and testing.
The hackers reported their activities to the intelligence agency the Shanghai State Security Bureau (SSSB), which supervised and directed their actions.
For example, after Xu reported the compromise of a research university in Texas, an SSSB officer directed him to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the university.
Xu later confirmed for the SSSB officer that he acquired the contents of the researchers’ mailboxes.
Hafnium Campaign Used to Steal Sensitive Government Data
Beginning in late 2020, Xu and his co-conspirators are accused of exploiting multiple zero-day vulnerabilities in Microsoft Exchange Server, as part of the notorious Nafnium campaign.
This Chinese state-sponsored campaign, which was publicly disclosed by Microsoft in March 2021, compromised thousands of computers worldwide.
Xu used the exploitation of Microsoft Exchange to breach information regarding specific US policy makers and government agencies.
This included the compromise of another university in Texas and a law firm with offices worldwide.
After exploiting computers running Microsoft Exchange Server, Xu and his co-conspirators installed web shells on them to enable their remote administration.
The US formally attributed the Hafnium campaign to the PRC in July 2021.
Assistant Director Brett Leatherman of the FBI’s Cyber Division, commented: “Through HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information. This arrest, carried out with our Italian law enforcement partners, demonstrates the FBI’s relentless commitment to holding CCP-sponsored hackers accountable for their crimes.”
Hacker Linked to Silk Typhoon Group
Commenting on the story, John Hultquist, Chief Analyst, Google Threat Intelligence Group, said Xu is reportedly affiliated with the Silk Typhoon group, which is known for its repeated use of zero-day vulnerabilities and successful compromises of technology firms in supply chain attacks.
"Reportedly, this actor was involved in attempts to target COVID-19 research. In 2020, in the wake of the epidemic, most of the cyberespionage actors we tracked shifted their focus to COVID-19. Cyber espionage actors based in Iran, Russia, North Korea, and China blitzed government, academic, and biotech targets looking for information on treatments," he noted.
Hultquist welcomed the arrest of Xu, but warned the arrest is unlikely to have any impact on Chinese state-sponsored cyber operations in the short term.
"Unfortunately, the impact of this arrest won’t be felt immediately. There are several teams composed of dozens of operators who are going to continue to carry out cyberespionage. Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work," he added.