Italian authorities arrest Chinese man over Microsoft Exchange Server hack, targeting of COVID-19 researchers

The Justice Department said Tuesday that Italian authorities arrested a Chinese national whom DOJ said was involved in the massive Microsoft Exchange Server hack from 2020 to 2021, an arrest made at the United States’ request.

The arrest stems from a nine-count indictment dating back to 2023, which named the arrested man, Xu Zewei, 33, as well as co-defendant Zhang Yu, 44. Authorities said the arrest was evidence that patience in pursuing alleged hackers in court can pay off.

“The indictment alleges that Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” Nicholas Ganjei, U.S. Attorney for the Southern District of Texas, said in a news release. “The Southern District of Texas has been waiting years to bring Xu to justice and that day is nearly at hand.”

According to court records, the Chinese Ministry of State Security’s Shanghai State Security Bureau directed Xu to carry out a hack that targeted U.S.-based universities, immunologists and virologists conducting COVID-19 research.

He and his co-conspirators exploited vulnerabilities in Microsoft Exchange Server, flaws that led to the compromise of thousands of computers worldwide. The Justice Department said it was the work of a group known as HAFNIUM or Silk Typhoon. It’s not the first time the U.S. has indicted Chinese nationals over the attack.

“Through HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information,” said Assistant Director Brett Leatherman of FBI’s Cyber Division.

There might be a delay in the arrest making a difference, said John Hultquist, chief analyst of the Google Threat Intelligence Group.

“Unfortunately, the impact of this arrest won’t be felt immediately,” he said in a statement. “There are several teams composed of dozens of operators who are going to continue to carry out cyberespionage. Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work.”

Xu is charged with conspiracy to commit wire fraud; two counts of wire fraud; conspiracy to damage and obtain information by unauthorized access to protected computers to commit wire fraud and commit identity theft; two counts of intentional damage to a protected computer; and aggravated identity theft.