(Texas Scorecard) – Two Chinese nationals allegedly hacked into U.S. research centers—including multiple facilities in Houston—during the early months of the pandemic, aiming to extract sensitive COVID-19 data for the Chinese government.
On Tuesday, the two Chinese nationals were named in a newly unsealed nine-count indictment from the U.S. Attorney’s Office for the Southern District of Texas. Xu Zewei, 33, and Zhang Yu, 44, are accused of carrying out U.S.-based computer intrusions between February 2020 and June 2021 at the direction of the Shanghai State Security Bureau, a division of China’s Ministry of State Security.
Nicholas Ganjei, U.S. Attorney for the Southern District of Texas, stated, “The indictment alleges that Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins.”
The indictment claims the two men breached systems at two Houston universities and multiple research institutions in North Carolina, gaining unauthorized access to sensitive COVID-19 research.
Beginning in early 2020—before widespread outbreaks in the U.S. and while the Chinese government was reportedly downplaying the severity of the virus—Xu and Zhang exploited vulnerabilities in Microsoft Exchange Server, a widely used platform for managing email communications. Their targets included America’s top virologists and immunologists working on vaccines, treatment protocols, and testing for COVID-19.
On or around February 19, 2020, Xu allegedly informed an SSSB officer that he had gained access to a research university’s internal network. Just days later, the officer instructed Xu to specifically target email accounts tied to COVID-19 research and deliver the contents to the SSSB.
Their intrusions were part of a much larger global campaign known as HAFNIUM, which compromised thousands of systems worldwide.
The two men reportedly accessed sensitive mailboxes containing U.S. government and policymaker communications, including files from a Washington, D.C.–based law firm. The indictment states they also deployed web shells on compromised machines, giving them long-term remote access and administrative control.
Douglas Williams, special agent in charge at the FBI’s Houston office, said, “While the world was reeling from a virus that originated in China, the Chinese government plotted to steal U.S. research critical to vaccine development.”
Just last week, Xu was arrested while disembarking from a flight in Milan, Italy, and is now awaiting extradition to the United States. Zhang remains at large and is believed to be in China.
According to the indictment, Xu faces:
- Two counts of wire fraud and conspiracy–each carries a maximum sentence of 20 years.
- Conspiracy to damage protected computers–carries a maximum penalty of 10 years.
- Unauthorized access–carries a penalty of five years per count.
- Identity theft–carries a possible penalty of two years.
Each charge must run consecutively to other prison terms. Convictions could also carry fines of up to $250,000 per count.
This isn’t the first time Houston-based research institutions have drawn attention for links to the Chinese government. In 2019, MD Anderson Cancer Center fired three scientists over concerns of research theft. At the time, the National Institutes of Health had flagged five employees for failing to report foreign affiliations or income.
Just last week, Chinese nationals were arrested for allegedly conducting surveillance on U.S. Navy facilities. One of the operations involved photographing license plates and collecting identifying details on Navy personnel stationed at the Naval Special Warfare Command in San Diego. One of the men involved in that case, Liren “Ryan” Lai, was arrested in Houston.