Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Xu Zewei, Suspected Silk Typhoon Hacker, Will Remain in Custody in Italy
A Milan court has denied a house arrest request for Xu Zewei, a Chinese national facing potential extradition to the United States, due to concerns of him being a flight risk. This decision follows Xu’s arrest at Malpensa Airport in July, where he was taken into custody for alleged cyberespionage activities linked to the China-based advanced persistent threat group, known as Silk Typhoon.
Xu is sought by the FBI for his purported role in targeting U.S. researchers involved in coronavirus vaccine development in 2020. The court’s rejection of the defense’s plea for house arrest was based on substantial evidence implying guilt from U.S. investigative reports, alongside a perceived high risk of escape. He remains detained in a facility near Milan while his extradition case unfolds.
Facing a comprehensive nine-count federal indictment in the U.S., Xu and his alleged accomplice Zhang Yu have been charged with conspiracy and multiple violations including wire fraud and unauthorized access to protected systems. Should he be convicted, Xu faces the possibility of a 60-year prison sentence, although Zhang remains at large.
The U.S. now has two weeks to submit the requisite extradition documentation. Prosecutors allege that Xu and Yu operated out of the Ministry of State Security in Shanghai, specifically targeting vaccine research efforts from February 2020 to June 2021. Xu is identified as the head of Shanghai Powerock Network Technology Co., a front company associated with Silk Typhoon, also referred to as APT27.
The hacking group is known for exploiting zero-day vulnerabilities, as well as employing malware like the China Chopper backdoor for remote system access. Experts suggest that Xu’s expertise in cybersecurity and his alleged affiliations with Chinese intelligence were decisive factors in the court’s ruling against house arrest.
Analysts from Natto Thoughts further indicated that Xu had previously held a position at Chaitin Tech, an organization recognized for its work on vulnerability research—a detail that might complicate the legal proceedings as multiple jurisdictions are involved. Xu’s attorney claims his client is a victim of mistaken identity but did not respond promptly to requests for additional comment.
Overall, the implications of this case extend beyond Xu’s potential extradition. Should China pursue competing claims for his extradition, it could introduce further complexities. The MITRE ATT&CK framework highlights critical adversarial tactics such as initial access, persistence, and operational coordination as potentially being deployed in the incidents tied to Xu and his associates, underscoring the evolving risks posed by state-sponsored cyber threats.
