Fighting against Chinese cyber-espionage, FBI hunts down members of Chinese hacking networks

When Chinese national Xu Zewei stepped off a plane at Milan's Malpensa airport for a vacation with his wife, Italian authorities arrested him. The Italians executed an American warrant issued by investigators for his alleged role in the most prolific Beijing-backed cyber-espionage campaign in recent years.

Before Xu’s July 3 arrest, the Justice Department often charged alleged Chinese hackers in absentia. But now, the Trump administration has detained for the first time one of Beijing’s suspected cyber operators as part of its wider effort to combat Chinese espionage against the United States.

The Justice Department announced Xu’s arrest earlier this week and outlined the charges against him as part of a nine-count indictment along with one codefendant. The pair are accused of involvement in computer intrusions that compromised personal data, intellectual property, COVID-19 research at U.S. universities, and law firm materials, the Justice Department said. 

The arrest of Xu Zewei in Italy marks one of the first recorded cases of the FBI apprehending a suspected Chinese hacker. The FBI’s Houston Field Office, which led the case, said in a social media post shortly after the announcement that Xu Zewei was “one of the first hackers linked to Chinese intelligence services to be captured by the FBI.” 

Vulnerabilities in Microsoft product exploited

China delivered a sharp criticism of Xu’s arrest in a statement on Thursday and said Beijing completely rejects “any smears and vilification” about alleged cyber activities. “China firmly opposes the use of long-arm jurisdiction and opposes the US’ disguised extradition of Chinese nationals via a third country,” said a spokeswoman for the Chinese Foreign Ministry. 

Xu, along with a coconspirator identified as Zhang Yu, allegedly hacked into computer systems between 2020 and 2021, including as part of the HAFNIUM computer intrusion campaign that compromised thousands of computers globally by exploiting vulnerabilities in a Microsoft product. Xu is expected to be extradited to the U.S. The Justice Department said that Zhang is still at large. 

FBI Director Kash Patel touted the arrest on Thursday in a post to X. "Xu is accused of hacking U.S. universities and stealing critical COVID-19 research on behalf of the Chinese Communist Party," Patel said. "The CCP’s relentless attacks on our institutions will not go unanswered. The FBI will hunt down those who threaten our national security—wherever they hide."

The Justice Department alleges Xu was a general manager at China-based Shanghai Powerock Network, which the department says conducts cyberhacking operations at the direction of the Shanghai State Security Bureau, a subsidiary of China’s Ministry of State Security, its chief intelligence agency. 

The FBI said that Powerock is one “many ‘enabling’ companies in the PRC that conducted hacking for the PRC government. 

The indictment accuses Xu, alongside both his named and unindicted co-conspirators, of hacking into the networks of several U.S. universities and the accounts of both immunologists and virologists seeking information on COVID-19 vaccine research in early 2020. The hacks were intended to “steal the victims’ data, including COVID-19 research, for the benefit of PRC-based entities and the strategic benefit of the PRC government,” the prosecutors said. 

The indictment did not name the universities, but identified their locations. The first was a university in the Southern District of Texas that engaged in research on “COVID-19 vaccines, treatments, and testing.” The second university in North Carolina also conducted research in these same areas. The third university is also located in the Southern District of Texas. 

The hackers also targeted a law firm in Washington, D.C., the indictment alleges. That intrusion was targeted at “U.S. policymakers and government agencies.” The hackers explicitly searched for information on “Chinese sources,” “MSS,” the Ministry of State Security, and “Hong Kong.”

You can read the indictment below: 

The Justice Department says both Xu and Zhang’s alleged hacking activities are one component of an extensive Chinese Communist Party-directed campaign that exploited vulnerabilities in Microsoft’s Exchange Server email program. This campaign drew attention when in March 2021 Microsoft announced that its systems had been compromised. The company identified Chinese hacking group HAFNIUM as the culprit of the intrusion campaign. 

Tens of thousands in U.S. targeted

KrebsOnSecurity reported at the time the breach was discovered that "at least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments" were attacked by what cyber-security experts called "an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations."

“Through HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information,” Assistant Director Brett Leatherman of FBI’s Cyber Division said in a statement. 

Xu’s lawyer said on Tuesday during an appearance before an appeals court in Milan that the FBI has mistaken his client’s identity and that Xu’s mobile phone had been stolen in 2020, Reuters reported. Xu also argues that his surname is very common in China, according to his lawyer. That Italian appeals court will decide whether to approve Xu’s extradition to the United States. 

Prior to Xu’s arrest, the United States often charged suspected Chinese hackers in absentia, unable to reach them in Beijing’s territory. The Xu case is a significant expansion of the United States’ effort to target China’s hacking infrastructure that aligns with President Trump’s renewed focus on specifically combating Chinese cyber espionage activity.

Cyber threats from the Chinese have remained an ongoing issue in U.S.-China relations for decades, and China has shown little willingness to adhere to any agreements that would curb the behavior. 

Obama and China had an agreement that the PRC soon ignored

In late 2015, the Obama Administration and the PRC came to an agreement that intended to prevent “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage,” according to the U.S. announcement. 

Within a year of the agreement, the Council on Foreign Relations said that independent reports found that the prevalence of Chinese hacking did in fact decrease, yet experts remained concerned that Chinese hacking attempts would become more targeted and sophisticated in its aftermath, according to a review by the Council on Foreign Relations. 

By 2018, according to The Wall Street Journal, United States officials began to publicly recognize that China did not live up to their end of the cybersecurity agreement. Rob Joyce, a cybersecurity advisor to the Trump Administration for a brief period in 2018, told a conference in 2018 that Chinese commitment to the deal had significantly eroded.

“It is clear they are well beyond the bounds of the agreement today that was forged between our two countries,” Joyce said in 2018.

In his second term, President Trump has placed a renewed focus on addressing Beijing’s hacking campaigns directed at the United States. 

Executive orders, presidential directives and criminal prosecutions

In June, Trump signed an executive order aimed at improving “critical protections” against foreign cyber threats across the whole of society, both in the public and private sectors. The order directs agencies to improve encryption, secure software standards, and protection of network infrastructure to prevent easy access by hackers to interconnected systems. 

Executive orders are not the only weapon in the U.S. arsenal in cyberwars. According to the Electronic Privacy Information Center (EPIC), "Presidential directives are used as an instrument of national security to affect cybersecurity policy and generally derive from the policy papers produced by the National Security Council (NSC) that advise the president on national security issues." Presidential Directives are not required to be published in the Federal Register and are often highly classified. 

To defend against Beijing’s cyber espionage, the Trump administration has pursued criminal charges against Chinese hackers for campaigns across the U.S. against both public and private entities. Earlier this year, the Justice Department charged 12 Chinese nationals for allegedly hacking U.S. companies, government agencies, and cities. The hacks targeted U.S.-based critics of Beijing, foreign ministries of other Asian governments, and U.S. federal and state agencies, CNN reported. 

The best defense may be a good offense

Chairman of the House Select Committee on the Chinese Communist Party, Rep. John Moolenaar, R-Mich., said in March that the Trump administration is also looking to mount “aggressive,” offensive cyber operations against Beijing. 

Moolenaar said the new administration “has already shown a willingness to take a more aggressive stance in cyberspace.” According to the chairman, the president’s top advisors and National Security Council officials are “signaling that America is no longer only playing defense. We are actively engaging to erode our adversaries’ cyber capabilities.”