Alleged 'Hafnium' hacker-for-hire extradited to the United States

A Chinese national accused of directing attacks as part of the large scale Hafnium intrusion campaign has appeared in court in the United States after being extradited from Italy over the weekend.

Xu Zewei [徐泽伟]  34, appeared in the US District Court in Houston on a nine-count indictment covering computer intrusions alleged to have been carried out between February 2020 and June 2021, the US Department of Justice (DoJ) said.

He was arrested in Milan, Italy, with the help of the nation's cyber police, the Polizia Postale.

The Hafnium campaign exploited vulnerabilities in Microsoft Exchange Server and compromised more than 12,700 North American organisations, according to the Federal Bureau of Investigation (FBI).

Although the Hafnium campaign was first documented by Microsoft in March 2021, it is thought to have started in late 2020.

Xu and associates planted so-called web shells which allow for remote access of Exchange Servers using a zero-day vulnerability indexed as CVE-2021-26855.

Through the web shells, the hackers were able to search Exchange mailboxes for information on specific US policymakers and government agencies for intelligence collection.

“Xu will now answer for his alleged role in Hafnium, a group responsible for a vast intrusion campaign directed by China's Ministry of State Security that compromised more than 12,700 US organisations," FBI's Cyber Division assistant director Brett Leatherman said in a statement.

Xu is also alleged to have targeted American universities, immunologists, and virologists engaged in Covid-19 vaccine and treatment research, and is accused of stealing several gigabytes of data from a single institution alone.

The attacks on academic and research institutions are said to have taken place between February 2020 and the end of April that same year, prior to the Hafnium campaign and shortly after pandemic started.

In the November 2023 indictment against Xu and his co-accused, he is alleged to have been directed and supervised by the Shanghai State Security Bureau (SSSB), part of China's Ministry of State Security (MSS) for the hacking.

Xu was the general manager of Shanghai Powerock, and his co-defendant Zhang Yu was a director of Shanghai Firetech Information Science and Technology Company.

Both of these companies are described in the US indictment as being part of a broader network of commercial entities used to obscure Beijing's involvement in state-sponsored and directed hacking operations.

Zhang Yu remains at large.

The pair face up to decade-long sentences in jail each if convicted.