Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks
A Chinese national has been arrested in Milan, Italy, for his alleged links to a state-sponsored hacking group known as Silk Typhoon and for carrying out cyber attacks against American organizations and government agencies.
The 33-year-old, Xu Zewei, has been charged with nine counts of wire fraud and conspiracy to cause damage to and obtain information by unauthorized access to protected computers, as well as committing aggravated identity theft. Details of the arrest were first reported by Italian media.
Xu is alleged to have been involved in the U.S. computer intrusions between February 2020 and June 2021, including a mass attack spree that leveraged then-zero-day flaws in Microsoft Exchange Server, a cluster of activity the Windows maker designed as Hafnium.
The suspect is also accused of participating in China’s espionage efforts during the COVID-19 pandemic, attempting to gain access to vaccine research at various U.S. universities, including the University of Texas.
Xu, alongside co-defendant and Chinese national Zhang Yu, are believed to have undertaken the attacks based on directions given by the Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB).
“Beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely used Microsoft product for sending, receiving and storing email messages,” the Justice Department said. “Their exploitation of Microsoft Exchange Server was allegedly at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as ‘Hafnium.'”
Silk Typhoon, which overlaps with UNC5221, is known for its use of zero-day vulnerabilities and successful compromises of technology firms in supply chain attacks. The group is said to have targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information through the Hafnium campaign.
The Justice Department has also claimed that Zewei worked for a company named Shanghai Powerock Network Co. Ltd. when the attacks were carried out, lending further credence to other reports that China is leveraging an array of contractors and private firms to launch state-sponsored espionage campaigns in an effort to obscure the government’s involvement.
According to a report from Reuters, Xu has opposed the extradition request, claiming a case of mistaken identity. Xu’s lawyer added his surname is quite common in China and that his mobile phone had been stolen from him in 2020.
“Unfortunately, the impact of this arrest won’t be felt immediately. There are several teams composed of dozens of operators who are going to continue to carry out cyber espionage,” John Hultquist, Chief Analyst, Google Threat Intelligence Group (GTIG), said in a statement shared with The Hacker News.
“Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work.”
