When Chinese national Xu Zewei stepped off a plane at Milan’s Malpensa airport for a vacation with his wife, Italian authorities arrested him. The Italians executed an American warrant issued by investigators for his alleged role in the most prolific Beijing-backed cyber-espionage campaign in recent years.
Before Xuâs July 3 arrest, the Justice Department often charged alleged Chinese hackers in absentia. But now, the Trump administration has detained for the first time one of Beijingâs suspected cyber operators as part of its wider effort to combat Chinese espionage against the United States.
The Justice Department announced Xuâs arrest earlier this week and outlined the charges against him as part of a nine-count indictment along with one codefendant. The pair are accused of involvement in computer intrusions that compromised personal data, intellectual property, COVID-19 research at U.S. universities, and law firm materials, the Justice Department said.Â
The arrest of Xu Zewei in Italy marks one of the first recorded cases of the FBI apprehending a suspected Chinese hacker. The FBIâs Houston Field Office, which led the case, said in a social media post shortly after the announcement that Xu Zewei was âone of the first hackers linked to Chinese intelligence services to be captured by the FBI.âÂ
Vulnerabilities in Microsoft product exploited
China delivered a sharp criticism of Xuâs arrest in a statement on Thursday and said Beijing completely rejects âany smears and vilificationâ about alleged cyber activities. âChina firmly opposes the use of long-arm jurisdiction and opposes the USâ disguised extradition of Chinese nationals via a third country,â said a spokeswoman for the Chinese Foreign Ministry.Â
Xu, along with a coconspirator identified as Zhang Yu, allegedly hacked into computer systems between 2020 and 2021, including as part of the HAFNIUM computer intrusion campaign that compromised thousands of computers globally by exploiting vulnerabilities in a Microsoft product. Xu is expected to be extradited to the U.S. The Justice Department said that Zhang is still at large.Â
FBI Director Kash Patel touted the arrest on Thursday in a post to X. “Xu is accused of hacking U.S. universities and stealing critical COVID-19 research on behalf of the Chinese Communist Party,” Patel said. “The CCPâs relentless attacks on our institutions will not go unanswered. The FBI will hunt down those who threaten our national securityâwherever they hide.”
The Justice Department alleges Xu was a general manager at China-based Shanghai Powerock Network, which the department says conducts cyberhacking operations at the direction of the Shanghai State Security Bureau, a subsidiary of Chinaâs Ministry of State Security, its chief intelligence agency.Â
The FBI said that Powerock is one âmany âenablingâ companies in the PRC that conducted hacking for the PRC government.Â
The indictment accuses Xu, alongside both his named and unindicted co-conspirators, of hacking into the networks of several U.S. universities and the accounts of both immunologists and virologists seeking information on COVID-19 vaccine research in early 2020. The hacks were intended to âsteal the victimsâ data, including COVID-19 research, for the benefit of PRC-based entities and the strategic benefit of the PRC government,â the prosecutors said.Â
The indictment did not name the universities, but identified their locations. The first was a university in the Southern District of Texas that engaged in research on âCOVID-19 vaccines, treatments, and testing.â The second university in North Carolina also conducted research in these same areas. The third university is also located in the Southern District of Texas.Â
The hackers also targeted a law firm in Washington, D.C., the indictment alleges. That intrusion was targeted at âU.S. policymakers and government agencies.â The hackers explicitly searched for information on âChinese sources,â âMSS,â the Ministry of State Security, and âHong Kong.â
You can read the indictment below:Â
The Justice Department says both Xu and Zhangâs alleged hacking activities are one component of an extensive Chinese Communist Party-directed campaign that exploited vulnerabilities in Microsoftâs Exchange Server email program. This campaign drew attention when in March 2021 Microsoft announced that its systems had been compromised. The company identified Chinese hacking group HAFNIUM as the culprit of the intrusion campaign.Â
Tens of thousands in U.S. targeted
KrebsOnSecurity reported at the time the breach was discovered that “at least 30,000 organizations across the United States â including a significant number of small businesses, towns, cities and local governments” were attacked by what cyber-security experts called “an unusually aggressive Chinese cyber espionage unit thatâs focused on stealing email from victim organizations.”
âThrough HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information,â Assistant Director Brett Leatherman of FBIâs Cyber Division said in a statement.Â
Xuâs lawyer said on Tuesday during an appearance before an appeals court in Milan that the FBI has mistaken his clientâs identity and that Xuâs mobile phone had been stolen in 2020, Reuters reported. Xu also argues that his surname is very common in China, according to his lawyer. That Italian appeals court will decide whether to approve Xuâs extradition to the United States.Â
Prior to Xuâs arrest, the United States often charged suspected Chinese hackers in absentia, unable to reach them in Beijingâs territory. The Xu case is a significant expansion of the United Statesâ effort to target Chinaâs hacking infrastructure that aligns with President Trumpâs renewed focus on specifically combating Chinese cyber espionage activity.
Cyber threats from the Chinese have remained an ongoing issue in U.S.-China relations for decades, and China has shown little willingness to adhere to any agreements that would curb the behavior.Â
Obama and China had an agreement that the PRC soon ignored
In late 2015, the Obama Administration and the PRC came to an agreement that intended to prevent âcyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage,â according to the U.S. announcement.Â
Within a year of the agreement, the Council on Foreign Relations said that independent reports found that the prevalence of Chinese hacking did in fact decrease, yet experts remained concerned that Chinese hacking attempts would become more targeted and sophisticated in its aftermath, according to a review by the Council on Foreign Relations.Â
By 2018, according to The Wall Street Journal, United States officials began to publicly recognize that China did not live up to their end of the cybersecurity agreement. Rob Joyce, a cybersecurity advisor to the Trump Administration for a brief period in 2018, told a conference in 2018 that Chinese commitment to the deal had significantly eroded.
âIt is clear they are well beyond the bounds of the agreement today that was forged between our two countries,â Joyce said in 2018.
In his second term, President Trump has placed a renewed focus on addressing Beijingâs hacking campaigns directed at the United States.Â
Executive orders, presidential directives and criminal prosecutions
In June, Trump signed an executive order aimed at improving âcritical protectionsâ against foreign cyber threats across the whole of society, both in the public and private sectors. The order directs agencies to improve encryption, secure software standards, and protection of network infrastructure to prevent easy access by hackers to interconnected systems.Â
Executive orders are not the only weapon in the U.S. arsenal in cyberwars. According to the Electronic Privacy Information Center (EPIC), “Presidential directives are used as an instrument of national security to affect cybersecurity policy and generally derive from the policy papers produced by the National Security Council (NSC) that advise the president on national security issues.” Presidential Directives are not required to be published in the Federal Register and are often highly classified.Â
To defend against Beijingâs cyber espionage, the Trump administration has pursued criminal charges against Chinese hackers for campaigns across the U.S. against both public and private entities. Earlier this year, the Justice Department charged 12 Chinese nationals for allegedly hacking U.S. companies, government agencies, and cities. The hacks targeted U.S.-based critics of Beijing, foreign ministries of other Asian governments, and U.S. federal and state agencies, CNN reported.Â
The best defense may be a good offense
Chairman of the House Select Committee on the Chinese Communist Party, Rep. John Moolenaar, R-Mich., said in March that the Trump administration is also looking to mount âaggressive,â offensive cyber operations against Beijing.Â
Moolenaar said the new administration âhas already shown a willingness to take a more aggressive stance in cyberspace.â According to the chairman, the presidentâs top advisors and National Security Council officials are âsignaling that America is no longer only playing defense. We are actively engaging to erode our adversariesâ cyber capabilities.â
