{"id":206609,"date":"2026-04-28T05:04:00","date_gmt":"2026-04-28T09:04:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/28\/chinese-state-sponsored-contract-hacker-extradited-to-u-s-over-covid-19-research-cyberattacks-hstoday\/"},"modified":"2026-04-28T05:10:09","modified_gmt":"2026-04-28T09:10:09","slug":"chinese-state-sponsored-contract-hacker-extradited-to-u-s-over-covid-19-research-cyberattacks-hstoday","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/28\/chinese-state-sponsored-contract-hacker-extradited-to-u-s-over-covid-19-research-cyberattacks-hstoday\/","title":{"rendered":"Chinese State-Sponsored Contract Hacker Extradited to U.S. Over COVID-19 Research Cyberattacks \u2013 HSToday"},"content":{"rendered":"

Chinese State-Sponsored Contract Hacker Extradited to U.S. Over COVID-19 Research Cyberattacks \u2013 HSToday<\/a><\/p>\n

https:\/\/www.hstoday.us\/subject-matter-areas\/cybersecurity\/chinese-state-sponsored-contract-hacker-extradited-to-u-s-over-covid-19-research-cyberattacks\/<\/a><\/p>\n

Publish Date: 2026-04-28 05:04:00<\/a><\/p>\n

Source Domain: www.hstoday.us<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. Xu Zewei (\u5f90\u6cfd\u4f1f), 34, of the People\u2019s Republic of China was extradited to the United States over the weekend and has appeared in U.S. District Court in Houston on a nine-count indictment\u00a0related to his involvement in computer intrusions between February 2020 and June 2021. Certain of those computer intrusions allegedly are part of the HAFNIUM computer intrusion campaign that compromised thousands of computers worldwide, including in the United States. Other intrusions targeted U.S. COVID-19 research during the height of the pandemic. Xu is charged along with Zhang Yu (\u5f20\u5b87), 44, who is also a PRC national.
\nAccording to court documents, officers of the PRC\u2019s Ministry of State Security\u2019s (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking. The MSS and SSSB are PRC intelligence services responsible for PRC\u2019s domestic counterintelligence, non-military foreign intelligence, and aspects of the PRC\u2019s political and domestic security. When Xu conducted the computer intrusions, he allegedly worked for a company named Shanghai Powerock Network Co. Ltd. (Powerock). Powerock was one of many \u201cenabling\u201d companies in the PRC that conducted hacking for the PRC government.
\n\u201cThe United States is committed to pursuing hackers who steal information from U.S. businesses and universities and threaten our cybersecurity,\u201d said Assistant Attorney General for National Security John A. Eisenberg. \u201cI commend the prosecutors and investigators who have worked hard and sought justice for years in this investigation, and we look forward to proving our case in court.\u201d
\n\u201cToday, Xu Zewei will stand in a federal courtroom to answer for crimes that struck at the heart of American science and security \u2014 allegedly stealing COVID-19 research from our universities when the world needed it most,\u201d said Acting U.S. Attorney John G.E. Marck for the Southern District of Texas. \u201cWe have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people.\u201d
\n\u201cThe extradition of Xu Zewei demonstrates the FBI\u2019s reach extends well beyond U.S. borders,\u201d said Assistant Director Brett Leatherman of the FBI\u2019s Cyber Division. \u201cXu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China\u2019s Ministry of State Security that compromised more than 12,700 U.S. organizations. He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk. The FBI thanks our Italian law enforcement colleagues, especially the Polizia Postale, whose partnership led to Xu\u2019s arrest in Milan and his extradition to the United States.\u201d
\nAccording to court documents, in early 2020, Xu and his co-conspirators hacked and otherwise targeted U.S.-based universities, immunologists, and virologists conducting research into COVID\u201119 vaccines, treatment, and testing. Xu and others reported their activities to officers in the SSSB who were supervising and directing the hacking activities. For example, on or about Feb. 19, 2020, Xu provided an SSSB officer with confirmation that he had compromised the network of a research university located in the Southern District of Texas. On or about Feb. 22, 2020, the SSSB officer directed Xu to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the university. Xu later confirmed for the SSSB officer that he acquired the contents of the researchers\u2019 mailboxes.
\nThe charges further allege that beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely-used Microsoft product for sending, receiving, and storing email messages. Their exploitation of Microsoft Exchange Server was at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as \u201cHAFNIUM.\u201d In March 2021, Microsoft publicly disclosed the intrusion campaign by state-sponsored hackers operating out of China. Throughout March 2021, Microsoft and other industry partners\u00a0released detection tools, patches, and other information\u00a0to assist victim entities in identifying and mitigating this cyber incident. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency released a\u00a0Joint Advisory on Compromise of Microsoft Exchange Server\u00a0on March 10, 2021. However, by the end of March 2021, hundreds of web shells remained on certain U.S.-based computers running Microsoft Exchange Server software. In April 2021, the Justice Department\u00a0announced\u00a0a court-authorized operation to remediate hundreds of computers in the United States made vulnerable by HAFNIUM actors. In\u00a0July 2021, the United States and foreign partners attributed the HAFNIUM campaign to the PRC\u2019s MSS.
\nAmong the victims of Xu\u2019s alleged exploitation of Microsoft Exchange Server were another university located in the Southern District of Texas and a law firm with offices worldwide, including in Washington, D.C. After exploiting computers running Microsoft Exchange Server, Xu and his co-conspirators installed web shells on them to enable their remote administration. The indictment alleges that these web shells were specific to HAFNIUM actors at the time. As with the earlier COVID-19 research intrusions, Xu and Zhang worked together on the HAFNIUM intrusions, under the supervision and direction of SSSB officers. For example, on or about Jan. 30, 2021, Xu confirmed to Zhang that he had compromised the other university\u2019s network. Later, on or about Feb. 28, 2021, Xu updated a SSSB officer on his successful intrusions. This SSSB officer then directed Xu to obtain a list of other, successful intrusions from a second SSSB officer. Unauthorized access to the law firm\u2019s network allowed Xu and his co-conspirators to steal information from mailboxes and search them for information regarding specific U.S. policy makers and government agencies. Their search terms included \u201cChinese sources,\u201d \u201cMSS,\u201d and \u201cHongKong.\u201d
\nAs described in the July 2025\u00a0announcement\u00a0of charges against Xu, the PRC uses an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government\u2019s involvement. Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government. This largely indiscriminate approach results in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third parties.
\nXu is charged with conspiracy to commit wire fraud and two counts of wire fraud, which carries a maximum penalty of 20 years in prison for each count; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft, which carries a maximum penalty of five years in prison; two counts of obtaining information by unauthorized access to protected computers, which carries a maximum penalty of five years in prison; two counts of intentional damage to a protected computer, which carries a maximum penalty of 10 years in prison; and aggravated identity theft, which carries a maximum penalty of two years in prison. Zhang Yu, remains at large.
\nThe FBI\u2019s Houston Field Office is investigating the case.
\nAssistant U.S. Attorney Mark McIntyre for the Southern District of Texas and Deputy Chief Matthew Anzaldi of the National Security Division\u2019s National Security Cyber Section are prosecuting the case. The U.S. Department of Justice\u2019s Office of International Affairs secured the arrest and extradition from Italy of Xu. The United States thanks the Government of Italy for its assistance extraditing Xu to the United States, including the Cyber Division of the Italian National Police for its valuable assistance.
\nNote:\u00a0View the indictment in\u00a0U.S. v. Xu Zewei et al.\u00a0here.
\nThe original announcement can be found here.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Chinese State-Sponsored Contract Hacker Extradited to U.S. Over COVID-19 Research Cyberattacks \u2013 HSToday https:\/\/www.hstoday.us\/subject-matter-areas\/cybersecurity\/chinese-state-sponsored-contract-hacker-extradited-to-u-s-over-covid-19-research-cyberattacks\/ Publish…<\/p>\n","protected":false},"author":1,"featured_media":206610,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.hstoday.us\/wp-content\/uploads\/2024\/03\/iStock-1137730846.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,35],"class_list":["post-206609","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-hacker"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206609"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=206609"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206609\/revisions"}],"predecessor-version":[{"id":206611,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206609\/revisions\/206611"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/206610"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=206609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=206609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=206609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}