Suspected contractor for China’s Hafnium group arrested in Italy

Suspected contractor for China’s Hafnium group arrested in Italy

Italian authorities and FBI agents have arrested a Chinese man who allegedly helped Beijing’s Hafnium group conduct a series of high-profile cyberattacks in 2020 and 2021.

Xu Zewei, 33, faces charges of hacking into the computers of U.S. researchers studying the COVID-19 virus and exploiting vulnerabilities in Microsoft Exchange servers that kicked off a global attack spree. The Justice Department announced his indictment and arrest on Tuesday, along with charges against another Chinese man, 44-year-old Zhang Yu, who remains at large.

Both men carried out the attacks on behalf of China’s Ministry of State Security, prosecutors alleged.

During the campaign, Xu allegedly worked for a firm called Shanghai Powerock Network Co. Ltd., which prosecutors described as an “enabling” company used to conduct hacking operations at Beijing’s direction. Xu, Yu and their co-conspirators allegedly reported back to the MSS’s Shanghai State Security Bureau.

Authorities arrested Xu in Milan on July 3 as he was departing a plane from China. He faces up to 20 years in prison on two counts of wire fraud and conspiracy.

“The indictment alleges that Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” said Nicholas Ganjei, U.S. attorney for the Southern District of Texas.

Later in 2020, according to the indictment, Xu and his co-conspirators began to exploit vulnerabilities in Microsoft Exchange Server — flaws that others soon seized on in a global campaign of cyberattacks that struck thousands of Microsoft customers, including government agencies and businesses. The attack spree prompted a rare emergency warning from the Cybersecurity and Infrastructure Security Agency (CISA). The U.S. attributed the initial hacks to China a few months after they surfaced.

“This arrest caps off over a decade of indictments and other law enforcement efforts that were usually recognized as symbolic,” said John Hultquist, chief analyst at Google Threat Intelligence Group. “It has been generally accepted that these actors would never see the inside of a courtroom.”

Google and other companies have linked Hafnium to Silk Typhoon, a China-linked group that has recently focused on exploiting vulnerabilities to conduct supply chain attacks against various targets. Silk Typhoon is also tracked as UNC5221.


Source link