Chinese State-Sponsored Hacker and Co-conspirator Arrested for HAFNIUM Intrusion Campaign

• The U.S. Department of Justice announced the detention of a Chinese national in relation to the 2021 Microsoft Exchange exploit attacks.
• A co-defendant also operated under MSS supervision via Shanghai's State Security Bureau.
• The individual was arrested in Milan, Italy, last week and will face extradition proceedings.

The U.S. Department of Justice has announced the arrest of Xu Zewei, a 33-year-old Chinese national accused of orchestrating major cyberattacks under the directive of China’s Ministry of State Security (MSS). 

Arrested in Milan, Italy, on July 3, Xu now faces extradition to the United States to answer for his alleged role in the HAFNIUM intrusion campaign and the theft of COVID-19 research. Xu is facing numerous charges, including conspiracy to commit wire fraud and intentional damage to protected systems. 

Xu and co-defendant, PRC national Zhang Yu, 44, were operating under MSS supervision via Shanghai's State Security Bureau and allegedly conducted widespread cyber intrusions between 2020 and 2021. 

Their activities exploited vulnerabilities in Microsoft Exchange Server, compromising over 60,000 U.S. systems and affecting more than 12,700 entities globally.  

The HAFNIUM campaign gained public attention in early 2021 when Microsoft revealed how attackers used zero-day vulnerabilities to gain unauthorized access to email systems, leaving thousands of web shells for remote administration. 

Despite subsequent updates and security patches, many systems remained compromised, prompting a court-authorized operation by the DoJ to mitigate the threat.  

According to U.S. Attorney Nicholas Ganjei, Xu played a direct role in targeting American universities, as well as immunologists and virologists engaged in COVID-19 vaccine and treatment research. 

Reports indicate Xu successfully accessed critical email accounts, at times providing stolen data directly to MSS officers. His actions began during the pandemic's early stages, highlighting a desperate effort to monopolize critical healthcare advancements.  

The DoJ revealed that Xu’s activities also included unauthorized access to global organizations, such as law firms involved in U.S. policymaking, potentially giving Chinese authorities access to strategic information. 

“In February 2020, as the world entered a pandemic, Xu Zewei and other cyber actors working on behalf of the Chinese Communist Party (CCP) targeted American universities to steal groundbreaking COVID-19 research,” said Assistant Director Brett Leatherman of FBI’s Cyber Division. 

“The following year, these same actors, operating as a group publicly known as HAFNIUM, exploited zero-day vulnerabilities in U.S. systems to steal additional research.”

The case not only emphasizes the pressing need for international cooperation in cybersecurity enforcement but also contributes to growing tensions between the U.S. and China over cybersecurity and intellectual property theft.