A Chinese hacker allegedly belonging to Silk Typhoon, the state-sponsored Chinese hacking group behind the Microsoft Exchange Server attacks of 2021 among other major actions, was picked up in Milan on July 3 on a US arrest warrant.
Xu Zewei is accused of being a member of the team that breached the University of Texas in 2020 to access information about a Covid vaccine in development. He is awaiting extradition to the US to face charges of wire fraud, aggravated identity theft, and unauthorized access to computer systems. If convicted on these charges he could face decades in prison, with some charges carrying a minimum sentence of at least five years.
Accused Chinese hacker tells Italian authorities someone hacked into his accounts
The Chinese hacker will sit in the custody of Italian authorities for now, where he is reportedly claiming that he was not involved and that the real perpetrator must have hacked into his accounts.
Zewei is a 33 year old Chinese national and resident of Shanghai, picked up by local authorities as he was passing through Milan’s Malpensa airport with his wife. The Southern District of Texas U.S. Attorney’s Office has accused him of being a ringleader of the group that attempted to raid the University of Texas in 2020, along with fellow Chinese national Zhang Yu (who remains at large). The pair are accused of taking orders from the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB) between February 2020 and June 2021, a unit tasked with non-military foreign intelligence among other duties.
Interception of Zewei’s communications reveal that he was breaching university networks as early as mid-February 2020, reporting to superiors that he had compromised the email inboxes of specific virologists and immunologists as well as a University of Texas network. The Chinese hackers made use of the well-documented Microsoft Exchange Server vulnerabilities that emerged in late 2020 and were exploited well into 2021.
Zewei is accused of working for a company called “Shanghai Powerock Network,” which served as a third-party civilian contractor undertaking state-backed hacking tasks. The broad scope of government use of civilian Chinese hackers through companies such as these was exposed by the I-Soon leaks of early 2024. A disgruntled former employee was thought to have leaked internal company documents in that case, providing victim data and client lists clearly tying I-Soon to PRC operations against foreign targets. Interestingly, it also showed that the civilian contractors frequently grumble about work conditions and low pay and that the government clients have similar complaints about their quality of work.
Chinese hackers previously breached US treasury, cybersecurity vendors
Though Zewei was not personally linked to any other specific actions, Silk Typhoon has been active and logging numerous other high-profile attacks since at least 2020. Its most infamous campaign was a far-reaching exploitation of the Microsoft Exchange Server vulnerabilities available during the time period it was pursuing Covid research, which targeted about 68,000 organizations in the US (mostly small businesses) in total and successfully broke into over 12,700 of them.
In 2024, the group was also able to breach cybersecurity vendor BeyondTrust and steal a Remote Support SaaS API key that gave it access to the US Treasury among other downstream targets. The Chinese hackers breached the Treasury’s Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the United States (CFIUS) looking for private information on sanctions, but a CISA follow-up report indicated that they were only able to access unclassified information.
Silk Typhoon is more “below-the-radar” than some other state-sponsored hacking groups due to its seeming sole focus on espionage when operating in foreign nations, but it has targeted numerous organizations in Australia, Japan, and Vietnam along with the US. In addition to government and academic targets the group has also gone after certain sectors of private industry such as health care firms and law offices. A March report from Microsoft Threat Intelligence indicates that the group recently switched its tactics and focus to seeking out unpatched known vulnerabilities in remote management tools, VPNs and cloud applications as an initial point of entry. The group particularly hunts for upstream access to an assortment of valuable downstream clients, as it did with its prior BeyondTrust attack. While it prefers seeking out vulnerabilities in the wild, the Microsoft researchers note it also frequently engages in password spray attacks and trawls GitHub and similar public repositories for unprotected credentials.
The Microsoft researchers urge frequent patching of all public-facing devices to deter the group, as well as monitoring for service principal sign-ins from unusual locations and enabling risk-based user sign-in protection.
John Hultquist, Chief Analyst for the Google Threat Intelligence Group, notes that this arrest in isolation will likely have little impact on Silk Typhoon’s operations but may have a ripple effect through the labor force of civilian Chinese hackers: “This arrest caps off over a decade of indictments and other law enforcement efforts that were usually recognized as symbolic. It has been generally accepted that these actors would never see the inside of a courtroom. This is a good reminder that patience can be rewarded. Unfortunately, the impact of this arrest won’t be felt immediately. There are several teams composed of dozens of operators who are going to continue to carry out cyberespionage. Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work.”
