Chinese Hacker Nabbed on Italian Vacation Accused of Being Part of Silk Typhoon

Silk Typhoon is one of China’s largest state-sponsored hacking groups, but it looks to be down at least one member. On the request of US authorities, the Italian police detained Xu Zewei as he was visiting Milan with his wife on a vacation. He is charged with being one of a group of Chinese hackers that was active in stealing Covid vaccine development information in 2020 and 2021, though the group’s exploits go far beyond that.

Zewei was arrested on July 3 while passing through Milan’s airport and is being detained while awaiting transfer to the US on charges of wire fraud, aggravated identity theft, and unauthorized access to computer systems, a grouping that could net decades in prison if he is convicted and hit with the maximum penalties.

Crack in the seeming invincibility of prolific Chinese hackers

Silk Typhoon has been one of the bigger and more active groups of Chinese hackers since at least 2020, but it does not necessarily grab headlines as much as some of its other “Typhoon” brethren due to its seeming explicit focus on espionage in a somewhat limited range of foreign countries. The group’s biggest and most “noisy” operation thus far was its wide-ranging exploitation of MS Exchange Server vulnerabilities through 2020 and 2021, during which time it targeted tens of thousands of small businesses. It has also since breached the US Treasury and stolen information on sanctions programs, though a follow-up report indicated it only accessed material that was unclassified.

The Chinese hackers appear to have a special focus on the US but also have been observed operating in Australia, Japan, and Vietnam. The group’s present focus is on compromising managed service providers, VPNs and other similar targets that give it access to a broad range of potentially valuable downstream clients. While it is best known for continually scanning the internet for unpatched known vulnerabilities and quickly exploiting them, it has also used password spray attacks and frequently prowls GitHub and similar sources for exposed credentials.

These groups usually sit safely in China beyond the possibility of apprehension and prosecution, but this incident shows that US intelligence is always working to identify state-connected Chinese hackers and track them when there is any sign of them leaving the country.

Chinese hacker claims police got the wrong man

Upon apprehension, Zewei reportedly claimed that his accounts were hacked and that he was innocent of any wrongdoing. US authorities are convinced that he was a central figure in a 2020 Silk Typhoon program that targeted the University of Texas and other centers of Covid research in a bid to steal information on vaccines in development. The authorities have also named Zhang Yu as one of the key figures who worked with Zewei in directing these operations; he remains at large. The pair are accused of working for a front company called “Shanghai Powerock Network” that took orders directly from the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB), which handles non-military foreign intelligence operations.

While it is very unusual for state-sponsored Chinese hackers to be caught, even an occasional case like this gives the talent pool in that country some pause. The idea of never being able to leave the country without having to look over your shoulder is a very substantial disincentive, and the Chinese government relies heavily on civilian contractors for these operations that prior leaks have shown already feel overworked and underappreciated.