HOUSTON
A Chinese national extradited to the United States this weekend made his initial court appearance Monday in federal court in Houston, facing alleged charges tied to a global hacking campaign that targeted thousands of computers, including U.S. COVID-19 research systems.
Xu Zewei, 34, of the People’s Republic of China, was charged in a nine-count indictment alleging his role in computer intrusions from February 2020 to June 2021, according to court documents.
Prosecutors allege some of the intrusions were part of the HAFNIUM cyber campaign, which compromised thousands of computers worldwide, including in the United States. Other attacks allegedly targeted U.S. COVID-19 research at the height of the pandemic.
Xu is charged alongside Zhang Yu, 44, also a Chinese national.
Authorities allege Xu acted at the direction of officers with the People’s Republic of China’s Ministry of State Security (MSS) and its Shanghai State Security Bureau (SSSB) — intelligence agencies responsible for counterintelligence, foreign intelligence, and political security operations.
At the time of the alleged offenses, Xu worked for Shanghai Powerock Network Co. Ltd., described by prosecutors as one of several “enabling” companies used to conduct hacking operations on behalf of the Chinese government.
Quick Facts
- Defendant: Xu Zewei, 34, People’s Republic of China
- Charges: Nine-count indictment involving computer intrusions
- Timeline: February 2020 to June 2021
- Campaign: HAFNIUM cyberattack targeting thousands of systems
- Targets: U.S. COVID-19 research and global computer networks
- Co-Defendant: Zhang Yu, 44
- Alleged Direction: PRC Ministry of State Security (MSS) and SSSB
- Employer: Shanghai Powerock Network Co. Ltd.
Federal prosecutors allege a Chinese national and his co-conspirators targeted U.S. universities and COVID-19 researchers, then expanded into a global hacking campaign exploiting Microsoft email systems.
According to court documents, Xu Zewei, 34, and others in early 2020 hacked U.S.-based universities, including immunologists and virologists researching COVID-19 vaccines, treatments, and testing. Prosecutors say Xu reported directly to officers with China’s Shanghai State Security Bureau (SSSB), which supervised the intrusions.
On Feb. 19, 2020, Xu allegedly confirmed he had breached a research university in the Southern District of Texas. Days later, an SSSB officer directed him to access email accounts belonging to researchers. Xu later confirmed he had obtained the contents of those mailboxes.
By late 2020, prosecutors say Xu and his co-conspirators shifted to exploiting vulnerabilities in Microsoft Exchange Server, launching attacks tied to the HAFNIUM cyber campaign, which compromised thousands of computers worldwide.
In March 2021, Microsoft publicly disclosed the campaign, prompting emergency patches and mitigation efforts. The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency issued a joint advisory as hundreds of compromised systems remained vulnerable.
Victims allegedly included another Texas university and a global law firm with offices in Washington, D.C. Prosecutors say Xu and his co-conspirators installed web shells to maintain remote access, then searched stolen emails for information tied to U.S. policymakers and government agencies, using terms such as “Chinese sources,” “MSS,” and “Hong Kong.”
Authorities allege the operation was directed by China’s intelligence services and relied on private contractors to obscure government involvement. This network allegedly cast a wide net, stealing data for intelligence use or resale.
Xu faces multiple federal charges, including wire fraud, computer intrusion, intentional damage to protected computers, and aggravated identity theft, with potential penalties ranging from two to 20 years per count.
Co-defendant Zhang Yu, 44, remains at large.