Full Report
The US allege that the hacker stole critical COVID-19 research from universities at the behest of the Chinese government
Analysis Summary
# Threat Actor: Unnamed Chinese APT Linked to Xu Zewei
## Attribution & Identity
The actors are linked to **State-sponsored activities ordered by People’s Republic of China (PRC) intelligence agencies**. Specific attribution is made through the arrest of **Xu Zewei (aged 33)**, who allegedly worked for the company **Shanghai Powerock Network Co. Ltd.** The US government believes the PRC uses private companies and contractors like Powerock to obfuscate state involvement in cyber operations. A co-defendant, **Zhang Yu**, is also named but remains at large.
## Activity Summary
The primary activity highlighted is involvement in the **theft of COVID-19 research from American universities**. Additionally, the actor (Xu Zewei) has been linked to the notorious **Hafnium campaign** which targeted Microsoft Exchange servers between February 2020 and June 2021. The operations are described as using a "largely indiscriminate approach" to cast a wide net for vulnerable targets.
## Tactics, Techniques & Procedures
- Exploiting vulnerable computers after identifying them.
- Stealing information (general description).
- The broader Hafnium campaign involved exploiting **Microsoft Exchange servers**.
- *No specific MITRE ATT&CK IDs were mentioned in the provided text.*
## Targeting
- Sectors: **Universities/Research Institutions** (specifically those conducting COVID-19 research).
- Geography: **United States** (implied victim region for research theft and Exchange targeting).
- Victims: **American Universities** engaged in COVID-19 research.
## Tools & Infrastructure
- Malware families used: *None specifically detailed, but linked to the Hafnium campaign which utilized specific Exchange exploits.*
- Infrastructure (C2, domains, IPs): Shanghai Powerock Network Co. Ltd. is identified as the operational front company. No specific C2 details were provided.
## Implications
The implications center on the PRC's strategy of using ostensibly private entities (like Powerock) to conduct espionage, specifically targeting sensitive scientific research (COVID-19 data), while attempting to obscure direct state attribution. The actor was motivated by profit alongside state objectives. The successful arrest highlights ongoing interdiction efforts against these state-sponsored networks.
## Mitigations
- Specific defense recommendations were not detailed in the article, but implications point towards securing Internet-facing systems like **Microsoft Exchange servers** against known compromise vectors.
- Monitoring networks for anomalous data exfiltration potentially linked to contracted third-party vendors operating from China.