U.S. prosecutors want to extradite a 33-year-old Chinese national back to the United States to face charges for allegedly participating in Beijing state-sponsored cyberespionage operations that included hacking into a university in Texas in 2020 to steal information about COVID-19 vaccines and the widespread attack on Microsoft Exchange Servers in 2021 by the group Silk Typhoon.

Xu Zewei was arrested last week in Milan’s Malpensa Airport by Italian law enforcement acting on a warrant from the U.S. Justice Department (DOJ), according to Italian news service ANSA.

Xu and a co-defendant, Zhang Yu, are named in a nine-count indictment that was unsealed this week that accuses them of participating in the hacking of universities, virologists, and immunologists working on COVID-19 vaccines and treatments between February 2020 to June 2021.

Prosecutors also say that starting in late 2020, Xu was part of the group Silk Typhoon – also known as Hafnium – that exploited a vulnerability in Microsoft Exchange Server. Silk Typhoon is one of several high-profile Chinese state-sponsored espionage groups that for years have targeted government agencies and critical infrastructure in the United States and elsewhere.

The indictment charges Xu and Yu with a range of crimes, including conspiracy, wire fraud, obtaining information by unauthorized access, and intentional damage to a protected computer. Yu remains at large.

Microsoft Exchange Server Compromise

The compromise of Microsoft Exchange Server kicked off a campaign in 2021 aimed at thousands of computers around the world that become publicly known as the Hafnium attacks. After exploiting the vulnerabilities, Xu and unnamed co-conspirators installed web shells on them that let them remotely control the systems. Microsoft disclosed the massive intrusion campaign in March 2021.

“In February 2020, as the world entered a pandemic, Xu Zewei and other cyber actors working on behalf of the Chinese Communist Party (CCP) targeted American universities to steal groundbreaking COVID-19 research,” Assistant Director Brett Leatherman of FBI’s Cyber Division said in a statement. “The following year, these same actors, operating as a group publicly known as HAFNIUM, exploited zero-day vulnerabilities in U.S. systems to steal additional research.”

Leatherman said the Hafnium campaign targeted more than 60,000 U.S. entities, successfully victimizing more than 12,700 of them, with the goal of stealing sensitive information. Among the victims were another Texas university and a law firm with offices around the world, including Washington D.C.

Chinese Government’s Hacking Operations

News of Xu’s arrest comes four months after the DOJ charged 12 Chinese nationals in a sprawling indictment that outlined in detail the operations by the Chinese government as agencies like the Ministry of Public Security (MPS) and Ministry of State Security (MSS) essentially ran a hacker-for-hire operation that involved contract hackers and Chinese companies as part of espionage campaigns against U.S. federal and state government agencies, dissidents and critics of the Chinese government in the United States, and the foreign ministries of such countries as Taiwan, South Korea, and India.

That said, the DOJ has been after Xu for years, with the indictment being handed up in November 2023 but kept sealed until this week. When running his hacks on computers, Xu worked for a company named Shanghai Powerock Network Co. Ltd., which the DOJ said was “one of many ‘enabling’ companies in the PRC [People’s Republic of China] that conducted hacking for the PRC government.”

He was directed to conduct the attacks by the MSS and Shanghai State Security Bureau (SSSB), another PRC intelligence agency, according to the indictment.

Targeting COVID-19 Researchers

Prosecutors have collected detailed information about Xu’s involvement both the hacking of COVID-19 researchers and the exploitation of Microsoft Exchange Servers. On February 19, 2020, Xu confirmed to a SSSB offer that he had compromised the network of a Texas research university. Three days later, the SSSB officer told Xu to access email accounts of virologists and immunologists researching COVID-19 at the schools, with Xu later confirming he’d gotten the contents of those mailboxes.

In the Hafnium campaign, Xu confirmed on January 30,2021, that he had compromised another university’s network and updated a SSSB officer a month later about his intrusions. Xu also stole information from email accounts and search them for information about U.S. policy makers and government agencies, with search terms including “Chinese sources,” “MSS,” and “HongKong.”

Microsoft has continued to track Silk Typhoon, noting in a report in March that the group was changing tactics to target common IT solutions like remote management tools and cloud applications as avenues for gaining initial access into corporate networks and attack IT supply chains. The targets include remote management and monitoring (RMM) vendors, MSPs, and companies in such sectors as health care, defense, and government.

Family Denies Charges

According to the Italian news agency ANSA, the extradition hearing for Xu was scheduled to take place July 7. His family told Italian authorities that Xu works as an IT manager at Shanghai GTA Semiconductor and that his getting an entry visa into Italy was confirmation that he hadn’t committed a crime.

His lawyer, Enrico Giarda, told reporters after a hearing before an appeals court that Xu suggested someone may have hacked into his account and that his mobile phone was stolen in 2020. Giarda also noted that his client’s surname is a common one in China.