A complicated cyberattack orchestrated by Chinese language state-sponsored hackers has uncovered vulnerabilities within the international cybersecurity infrastructure, concentrating on vital COVID-19 analysis from American universities and exploiting Microsoft Trade servers worldwide.
The Justice Division introduced the arrest of a key determine on this operation, marking a big milestone within the combat towards state-sponsored cyber espionage.
Xu Zewei, a 33-year-old Chinese language nationwide, was arrested in Milan, Italy, on July 3, 2025, following a U.S. extradition request.
The arrest represents one of many first profitable captures of hackers related to Chinese language intelligence companies by the FBI. Xu faces a nine-count federal indictment alongside his co-defendant Zhang Yu, who stays at massive.
The fees embody conspiracy to commit wire fraud, acquiring data by unauthorized entry to protected computer systems, intentional injury to protected computer systems, and aggravated id theft. If convicted on all counts, Xu may withstand 77 years in jail.
The COVID-19 Analysis Theft Marketing campaign
Between February 2020 and June 2021, Xu and his associates carried out a scientific marketing campaign to steal vital COVID-19 analysis from American establishments.
Working below the path of China’s Ministry of State Safety (MSS) and its Shanghai State Safety Bureau (SSSB), the hackers focused U.S. universities, immunologists, and virologists engaged in growing vaccines, remedies, and testing protocols.
Court docket paperwork reveal that on February 19, 2020, Xu confirmed to his SSSB handler that he had efficiently compromised the community of a analysis college within the Southern District of Texas.
Three days later, the SSSB officer directed Xu to particularly goal electronic mail accounts belonging to virologists and immunologists conducting COVID-19 analysis. Xu subsequently confirmed he had acquired the contents of those researchers’ mailboxes.
The HAFNIUM Marketing campaign
The cyber espionage operation expanded dramatically in late 2020 when Xu and his co-conspirators started exploiting zero-day vulnerabilities in Microsoft Trade Server.
This large marketing campaign, publicly often known as “HAFNIUM,” compromised hundreds of computer systems worldwide.
The assault leveraged 4 vital vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allowed attackers to realize persistent entry to sufferer programs.
The HAFNIUM group efficiently focused over 60,000 U.S. entities, compromising greater than 12,700 organizations. Victims included universities, regulation companies, protection contractors, and authorities businesses.
The attackers put in internet shells on compromised servers, offering them with distant entry capabilities for knowledge theft and lateral motion inside networks.
The Microsoft Trade Server exploitation marketing campaign had unprecedented international attain. By March 2021, it was estimated that roughly 250,000 servers worldwide had fallen sufferer to the assaults.
The European Banking Authority, Norwegian Parliament, and Chile’s Fee for the Monetary Market had been among the many high-profile victims.
Microsoft launched emergency safety updates on March 2, 2021, however the injury was already intensive.
The FBI and the Cybersecurity and Infrastructure Safety Company (CISA) issued a joint advisory warning organizations in regards to the compromise.
In April 2021, the Justice Division carried out a court-authorized operation to take away internet shells from lots of of weak computer systems in the US.
State-Sponsored Operations
The investigation revealed that Xu operated as a contract hacker for Shanghai Powerock Community Co. Ltd., described by prosecutors as one in every of many “enabling” corporations that carried out hacking operations for the Chinese language authorities.
This community of personal corporations and contractors supplied Beijing with believable deniability whereas conducting intensive cyber espionage campaigns.
The MSS and SSSB, China’s principal intelligence companies, immediately supervised and coordinated these operations.
The Shanghai State Safety Bureau, one of the crucial aggressive and internationally lively items of the MSS, maintains an in depth community of entrance corporations and conducts international espionage operations.
The HAFNIUM marketing campaign prompted a coordinated worldwide response.
In July 2021, the US, together with the European Union, the UK, Australia, Canada, New Zealand, Japan, and NATO, formally attributed the assaults to the Chinese language authorities and condemned the PRC’s function in malicious cyber actions.
The arrest of Xu Zewei demonstrates the continued efforts of worldwide regulation enforcement to carry state-sponsored hackers accountable.
“This arrest underscores the US’ affected person and tireless dedication to pursuing hackers who search to steal data belonging to U.S. corporations and universities,” stated John A. Eisenberg, Assistant Legal professional Common for the Nationwide Safety Division.
The HAFNIUM group has since advanced into what safety researchers now observe as “Silk Hurricane,” persevering with to focus on massive companies and authorities entities.
The group has tailored its ways to take advantage of widespread IT options, together with distant administration instruments and cloud functions.
The case highlights the broader problem posed by Chinese language cyber operations, which U.S. officers say exceed these of all different overseas governments mixed.
The Justice Division’s announcement represents a part of a broader crackdown on Chinese language cyber espionage, with a number of current instances concentrating on people accused of working for Beijing’s intelligence companies.
As Xu awaits extradition proceedings in Italy, the case serves as a stark reminder of the persistent risk posed by state-sponsored cyber operations and the vital significance of worldwide cooperation in combating these refined assaults on international cybersecurity infrastructure.
MSSP Pricing Information: The best way to Minimize Via the Noise and the Hidden Price-> Get Your Free Information