Italian authorities have arrested 33-year-old Xu Zewei in Milan on suspicion of working with Silk Typhoon, a hacking group believed to be backed by Chinese state security. US investigators claim that Xu was involved in a series of cyber intrusions targeting American government agencies and private organizations.
The indictment lists multiple charges, among them wire fraud, unauthorized access to protected computers, and identity theft. The alleged attacks occurred from early 2020 to mid-2021. They involved exploiting vulnerabilities in Microsoft Exchange Server that were previously unknown, as part of a breach campaign publicly referred to as Hafnium.
Authorities allege that Xu worked alongside another individual, Zhang Yu, and both were believed to be following instructions from the Chinese Ministry of State Security, operating out of Shanghai. The operation focused on accessing sensitive data from numerous systems worldwide, including efforts to reach vaccine research held by American universities, such as the University of Texas, during the COVID-19 pandemic.
The group they were tied to, known as Silk Typhoon or UNC5221, had a reputation for breaking into systems by exploiting newly discovered flaws in widely used software. They also targeted tech companies through compromised vendor links. It is believed they went after more than sixty thousand organizations across the United States, successfully breaching over twelve thousand of them during the attack wave known as Hafnium.
Investigators also linked Xu to a company called Shanghai Powerock Network Co Ltd, which they say was involved in helping cover the state’s role in the attacks by using private firms as intermediaries.
Xu is presently fighting repatriation, arguing that he has been misidentified. His lawyer pointed out that his surname is extremely common in China and said Xu had his phone stolen in 2020, possibly leading to misuse of his identity.
Commenting on the arrest, Google security analyst John Hultquist said the impact would likely be limited, as many other state-sponsored groups remain active. Still, he noted the arrest might cause some potential hackers to reconsider joining such operations.
