China’s “hacker-for-hire ecosystem has gotten out of control,” according to Brett Leatherman, assistant director of the FBI’s cyber division.
This ecosystem includes private technology companies operating at the behest of the PRC’s intelligence agencies while allowing Beijing to maintain plausible deniability.
“Motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government,” Leatherman told reporters on Thursday.
Or, if the Chinese government won’t buy it, the hackers-for-hire “turn from cyber mercenaries into cyber dealers,” selling access to the compromised systems and stolen data to third parties on the dark web.
“This leads to a less secure environment that is ripe for further lawlessness,” Leatherman said.
Xu Zewei’s extradition and the criminal charges against him, however, should send a message to China’s contractor ecosystem, he added: “The protection you assume from operating inside China does not extend the moment you cross a border.”
Xu, a Chinese national, was extradited from Italy to the United States over the weekend and charged with nine hacking-related crimes. Italian cops arrested Xu last July.
According to American prosecutors, China’s Ministry of State Security (MSS) and Shanghai State Security Bureau allegedly directed Xu to hack thousands of computers and steal sensitive information in a way that hid the Chinese government’s involvement.
This happened between February 2020 and June 2021, and some of the digital intrusions were part of the 2021 campaign in which Hafnium (now better known as Silk Typhoon) exploited zero-day bugs in Microsoft Exchange and compromised hundreds of thousands of servers worldwide, including 12,700 organizations in the US alone.
Other intrusions targeted American universities and researchers working on COVID-19 vaccines, treatments, and testing during the height of the pandemic, prosecutors allege.
The indictment claims that at the time, Xu worked as a general manager at a company named Shanghai Powerock Network, which the feds previously linked to Hafnium/Silk Typhoon.
“Among other things, Xu worked on taskings from the SSSB, supervised hacking activity of other Powerock personnel in support of such taskings, coordinated hacking activities with fellow hacker Zhang Yu, and reported the results of the hacking activities to the SSSB,” according to the indictment [PDF].
The indictment also charges Zhang, a director at Shanghai Firetech Information Science and Technology Company who allegedly operated at the direction of the SSSB, along with two unnamed SSSB officers who directed the hacking operations.
Court records show Xu is charged with conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit aggravated identity theft, which carries a maximum penalty of five years in prison; conspiracy to commit wire fraud and two counts of wire fraud, each carrying a maximum penalty of 20 years; two counts of obtaining information by unauthorized access to protected computers, each carrying a maximum penalty of five years; two counts of intentional damage to a protected computer, each carrying a maximum penalty of 10 years; and one count of aggravated identity theft, which carries a mandatory consecutive two-year sentence.
Zhang remains at large, according to the DoJ. ®