Chinese Hackers Exploit Microsoft Exchange Servers to Steal COVID-19 Research Data
A sophisticated cyberattack orchestrated by Chinese state-sponsored hackers has exposed vulnerabilities in the global cybersecurity infrastructure, targeting critical COVID-19 research from American universities and exploiting Microsoft Exchange servers worldwide.
The Justice Department announced the arrest of a key figure in this operation, marking a significant milestone in the fight against state-sponsored cyber espionage.
Xu Zewei, a 33-year-old Chinese national, was arrested in Milan, Italy, on July 3, 2025, following a U.S. extradition request.
The arrest represents one of the first successful captures of hackers associated with Chinese intelligence services by the FBI. Xu faces a nine-count federal indictment alongside his co-defendant Zhang Yu, who remains at large.
The charges include conspiracy to commit wire fraud, obtaining information by unauthorized access to protected computers, intentional damage to protected computers, and aggravated identity theft. If convicted on all counts, Xu could face up to 77 years in prison.
The COVID-19 Research Theft Campaign
Between February 2020 and June 2021, Xu and his associates conducted a systematic campaign to steal critical COVID-19 research from American institutions.
Operating under the direction of China’s Ministry of State Security (MSS) and its Shanghai State Security Bureau (SSSB), the hackers targeted U.S. universities, immunologists, and virologists engaged in developing vaccines, treatments, and testing protocols.
Court documents reveal that on February 19, 2020, Xu confirmed to his SSSB handler that he had successfully compromised the network of a research university in the Southern District of Texas.
Three days later, the SSSB officer directed Xu to specifically target email accounts belonging to virologists and immunologists conducting COVID-19 research. Xu subsequently confirmed he had acquired the contents of these researchers’ mailboxes.
The HAFNIUM Campaign
The cyber espionage operation expanded dramatically in late 2020 when Xu and his co-conspirators began exploiting zero-day vulnerabilities in Microsoft Exchange Server.
This massive campaign, publicly known as “HAFNIUM,” compromised thousands of computers worldwide.
The attack leveraged four critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allowed attackers to gain persistent access to victim systems.
The HAFNIUM group successfully targeted over 60,000 U.S. entities, compromising more than 12,700 organizations. Victims included universities, law firms, defense contractors, and government agencies.
The attackers installed web shells on compromised servers, providing them with remote access capabilities for data theft and lateral movement within networks.
The Microsoft Exchange Server exploitation campaign had unprecedented global reach. By March 2021, it was estimated that approximately 250,000 servers worldwide had fallen victim to the attacks.
The European Banking Authority, Norwegian Parliament, and Chile’s Commission for the Financial Market were among the high-profile victims.
Microsoft released emergency security updates on March 2, 2021, but the damage was already extensive.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning organizations about the compromise.
In April 2021, the Justice Department conducted a court-authorized operation to remove web shells from hundreds of vulnerable computers in the United States.
State-Sponsored Operations
The investigation revealed that Xu operated as a contract hacker for Shanghai Powerock Network Co. Ltd., described by prosecutors as one of many “enabling” companies that conducted hacking operations for the Chinese government.
This network of private companies and contractors provided Beijing with plausible deniability while conducting extensive cyber espionage campaigns.
The MSS and SSSB, China’s principal intelligence services, directly supervised and coordinated these operations.
The Shanghai State Security Bureau, one of the most aggressive and internationally active units of the MSS, maintains an extensive network of front companies and conducts global espionage operations.
The HAFNIUM campaign prompted a coordinated international response.
In July 2021, the United States, along with the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan, and NATO, formally attributed the attacks to the Chinese government and condemned the PRC’s role in malicious cyber activities.
The arrest of Xu Zewei demonstrates the continued efforts of international law enforcement to hold state-sponsored hackers accountable.
“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” said John A. Eisenberg, Assistant Attorney General for the National Security Division.
The HAFNIUM group has since evolved into what security researchers now track as “Silk Typhoon,” continuing to target large corporations and government entities.
The group has adapted its tactics to exploit common IT solutions, including remote management tools and cloud applications.
The case highlights the broader challenge posed by Chinese cyber operations, which U.S. officials say exceed those of all other foreign governments combined.
The Justice Department’s announcement represents part of a broader crackdown on Chinese cyber espionage, with multiple recent cases targeting individuals accused of working for Beijing’s intelligence services.
As Xu awaits extradition proceedings in Italy, the case serves as a stark reminder of the persistent threat posed by state-sponsored cyber operations and the critical importance of international cooperation in combating these sophisticated attacks on global cybersecurity infrastructure.
MSSP Pricing Guide: How to Cut Through the Noise and the Hidden Cost-> Get Your Free Guide
Source link
