A Chinese language nationwide has been arrested in Milan, Italy, for his alleged hyperlinks to a state-sponsored hacking group often known as Silk Hurricane and for finishing up cyber assaults in opposition to American organizations and authorities companies.
The 33-year-old, Xu Zewei, has been charged with 9 counts of wire fraud and conspiracy to trigger injury to and procure info by unauthorized entry to protected computer systems, in addition to committing aggravated identification theft. Particulars of the arrest had been first reported by Italian media.
Xu is alleged to have been concerned within the U.S. pc intrusions between February 2020 and June 2021, together with a mass assault spree that leveraged then-zero-day flaws in Microsoft Trade Server, a cluster of exercise the Home windows maker designed as Hafnium.
The suspect can be accused of collaborating in China’s espionage efforts throughout the COVID-19 pandemic, trying to realize entry to vaccine analysis at varied U.S. universities, together with the College of Texas.
Xu, alongside co-defendant and Chinese language nationwide Zhang Yu, are believed to have undertaken the assaults primarily based on instructions given by the Ministry of State Safety’s (MSS) Shanghai State Safety Bureau (SSSB).
“Starting in late 2020, Xu and his co-conspirators exploited sure vulnerabilities in Microsoft Trade Server, a broadly used Microsoft product for sending, receiving and storing electronic mail messages,” the Justice Division mentioned. “Their exploitation of Microsoft Trade Server was allegedly on the forefront of an enormous marketing campaign focusing on hundreds of computer systems worldwide and recognized publicly as ‘Hafnium.'”
Silk Hurricane, which overlaps with UNC5221, is understood for its use of zero-day vulnerabilities and profitable compromises of expertise companies in provide chain assaults. The group is alleged to have focused over 60,000 U.S. entities, efficiently victimizing greater than 12,700 with a view to steal delicate info by the Hafnium marketing campaign.
In earlier disclosures, Silk Hurricane has demonstrated a choice for focusing on sectors tied to mental property and nationwide resilience, comparable to healthcare, protection, and significant infrastructure. Their campaigns usually contain a mixture of credential harvesting, provide chain compromise, and long-term entry operations—indicative of a broader mandate targeted on each fast and strategic intelligence assortment.
Whereas Hafnium is broadly categorized as a complicated persistent risk (APT), analysts linking its exercise to UNC5221 have mapped key methods—like preliminary entry by CVE-2021-26855 and lateral motion by way of PowerShell scripts—to MITRE ATT&CK patterns. The overlap displays a broader APT ecosystem that blends zero-day exploitation, outsourced contractor operations, and long-term entry methods—core themes in ongoing discussions round attribution and cyber protection posture.
The Justice Division has additionally claimed that Zewei labored for an organization named Shanghai Powerock Community Co. Ltd. when the assaults had been carried out, lending additional credence to different studies that China is leveraging an array of contractors and personal companies to launch state-sponsored espionage campaigns in an effort to obscure the federal government’s involvement.
A latest evaluation of leaked Chinese language datasets that appeared on sale on DarkForums, an English-language cybercrime discussion board, has shed additional gentle on the shadowy hack-for-hire scene within the nation. The cache allegedly incorporates personal paperwork associated to VenusTech, a serious IT safety vendor in China with a give attention to serving authorities shoppers, and Salt Hurricane, per SpyCloud.
The VenusTech paperwork, leaked by a consumer named IronTooth, reference already hacked organizations, along with containing contract info displaying varied Chinese language authorities entities to which the corporate gives its providers.
The second batch is alleged to incorporate particulars about a number of workers behind the Salt Hurricane hacking group and knowledge on 242 hacked routers. Additionally leaked by ChinaBob, the DarkForums consumer who has marketed the dataset, is a spreadsheet that purportedly exhibits transactions between varied governments prospects and their sellers.
The doc lists three totally different vendor firms: Sichuan Zhixin Ruijie Community Expertise Firm Restricted, Beijing Huanyu Tiangiong Info Expertise Firm Restricted, and Sichuan Juxinhe Community Expertise Firm Restricted. It is value noting that Sichuan Juxinhe was sanctioned by the U.S. Treasury Division earlier this January for its ties to Salt Hurricane.
“Whereas the origin of those leaks is unsure, this knowledge showing on the market on a Western hacking discussion board matches into just a few overarching traits that we now have noticed from monitoring Chinese language cybercriminal communities: China’s state-sanctioned knowledge assortment and intelligence equipment is leaky [and] cybercriminals from the Sinosphere look like more and more current in Western digital crime areas,” SpyCloud mentioned.
In response to a report from Reuters, Xu has opposed the extradition request, claiming a case of mistaken identification. Xu’s lawyer added his surname is kind of widespread in China and that his cell phone had been stolen from him in 2020.
“Sadly, the influence of this arrest will not be felt instantly. There are a number of groups composed of dozens of operators who’re going to proceed to hold out cyber espionage,” John Hultquist, Chief Analyst, Google Menace Intelligence Group (GTIG), mentioned in an announcement shared with The Hacker Information.
“Authorities sponsors are usually not going to be deterred. The arrest is unlikely to convey operations to a halt and even considerably sluggish them, however it could give a few of these gifted younger hackers a cause to assume twice earlier than getting concerned on this work.”
