Chinese National Extradited to U.S. for Cyber Intrusions Linked to HAFNIUM and COVID-19 Research Theft
A 34-year-old Chinese national, Xu Zewei (徐泽伟), was extradited to the U.S. over the weekend and appeared in federal court in Houston on a nine-count indictment for his role in state-sponsored cyber intrusions between February 2020 and June 2021. Xu, along with co-conspirator Zhang Yu (张宇), 44, is accused of participating in the HAFNIUM campaign a large-scale hacking operation that compromised thousands of systems worldwide, including U.S. organizations and targeting COVID-19 research during the pandemic.
According to court documents, Xu’s activities were directed by officers of the PRC’s Ministry of State Security (MSS) Shanghai State Security Bureau (SSSB), China’s primary intelligence agency. At the time of the intrusions, Xu worked for Shanghai Powerock Network Co. Ltd., one of many Chinese "enabling" companies used by the PRC government to conduct cyber operations while obscuring its direct involvement.
The indictment alleges that in early 2020, Xu and his co-conspirators hacked U.S. universities, immunologists, and virologists working on COVID-19 vaccines, treatments, and testing. On February 19, 2020, Xu confirmed to an SSSB officer that he had breached a Texas-based research university’s network. Days later, the officer instructed him to target specific email accounts belonging to researchers, which Xu later accessed and exfiltrated.
From late 2020 into 2021, Xu and Zhang exploited vulnerabilities in Microsoft Exchange Server, a widely used email platform, as part of the HAFNIUM campaign. Microsoft publicly disclosed the state-sponsored attacks in March 2021, prompting the release of patches and detection tools. Despite mitigation efforts, hundreds of U.S. systems remained compromised. In April 2021, the U.S. Justice Department conducted a court-authorized operation to remove web shells installed by the hackers. By July 2021, the U.S. and its allies formally attributed the HAFNIUM campaign to the PRC’s MSS.
Among the victims were a second Texas university and a global law firm, where Xu and Zhang installed web shells to maintain access and search for sensitive information. Their searches included terms like "Chinese sources," "MSS," and "HongKong," suggesting an interest in U.S. policy and intelligence-related data.
The indictment highlights the PRC’s use of private contractors to conduct cyber espionage, allowing the government to distance itself from the operations. Xu faces charges including conspiracy to commit wire fraud, unauthorized access to protected computers, intentional damage to computer systems, and aggravated identity theft, with potential penalties totaling decades in prison. Zhang remains at large.
The case is being investigated by the FBI’s Houston Field Office and prosecuted by the U.S. Attorney’s Office for the Southern District of Texas and the DOJ’s National Security Cyber Section. Xu’s extradition from Italy was secured with assistance from Italian law enforcement, including the Polizia Postale.
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1777372097",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "2/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Education/Research',
'location': 'Texas, U.S.',
'name': 'Texas-based research university (unspecified)',
'type': 'University'},
{'industry': 'Education/Research',
'location': 'Texas, U.S.',
'name': 'Second Texas university (unspecified)',
'type': 'University'},
{'industry': 'Legal',
'location': 'Global',
'name': 'Global law firm (unspecified)',
'type': 'Law Firm'},
{'industry': 'Healthcare/Research',
'location': 'U.S.',
'name': 'Immunologists and virologists (unspecified)',
'type': 'Researchers'}],
'attack_vector': ['Exploitation of Microsoft Exchange Server vulnerabilities',
'Web shells'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'Email accounts of '
'researchers '
'(potential PII)',
'sensitivity_of_data': 'High (COVID-19 research, '
'intelligence-related data)',
'type_of_data_compromised': ['Research data',
'Email accounts',
'Policy-related information']},
'date_detected': '2020-02-19',
'date_publicly_disclosed': '2021-03',
'date_resolved': '2021-07',
'description': 'A 34-year-old Chinese national, Xu Zewei, was extradited to '
'the U.S. and indicted for his role in state-sponsored cyber '
'intrusions between February 2020 and June 2021. The '
'operations, directed by the PRC’s Ministry of State Security '
'(MSS), included the HAFNIUM campaign and targeted COVID-19 '
'research, universities, immunologists, virologists, and a '
'global law firm. Xu exploited vulnerabilities in Microsoft '
'Exchange Server and installed web shells to exfiltrate '
'sensitive data.',
'impact': {'data_compromised': 'Sensitive research data, email accounts, '
'policy-related information',
'identity_theft_risk': 'Aggravated identity theft (charges '
'included)',
'operational_impact': 'Unauthorized access and data exfiltration '
'from critical research and legal entities',
'systems_affected': ['U.S. universities',
'Global law firm',
'Research institutions']},
'initial_access_broker': {'backdoors_established': 'Web shells',
'entry_point': 'Microsoft Exchange Server '
'vulnerabilities',
'high_value_targets': ['COVID-19 researchers',
'Universities',
'Law firms']},
'investigation_status': 'Ongoing (Zhang Yu at large)',
'motivation': ['Intelligence gathering',
'Theft of COVID-19 research',
'Policy and intelligence-related data'],
'post_incident_analysis': {'corrective_actions': 'Patching vulnerabilities, '
'court-authorized removal of '
'web shells, attribution to '
'PRC’s MSS',
'root_causes': 'Exploitation of unpatched '
'Microsoft Exchange Server '
'vulnerabilities, state-sponsored '
'cyber espionage'},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'U.S. Department of Justice'},
{'source': 'Microsoft Security Response Center'}],
'regulatory_compliance': {'legal_actions': 'Nine-count indictment (conspiracy '
'to commit wire fraud, '
'unauthorized access, aggravated '
'identity theft)'},
'response': {'containment_measures': 'Court-authorized operation to remove '
'web shells (April 2021)',
'law_enforcement_notified': True,
'remediation_measures': 'Microsoft released patches and '
'detection tools (March 2021)'},
'threat_actor': 'HAFNIUM (PRC’s Ministry of State Security - MSS)',
'title': 'Chinese National Extradited to U.S. for Cyber Intrusions Linked to '
'HAFNIUM and COVID-19 Research Theft',
'type': ['Cyber Espionage', 'State-Sponsored Hacking'],
'vulnerability_exploited': 'Microsoft Exchange Server vulnerabilities '
'(HAFNIUM campaign)'}