Alleged Silk Typhoon Hacker Extradited to US for Cyberespionage

What happened

A Chinese national accused of conducting cyberespionage operations on behalf of China’s Ministry of State Security has been extradited from Italy to the United States to face criminal charges. Xu Zewei was arrested in Milan in 2025 at the request of US authorities and has now appeared in federal court.

According to the Department of Justice, Xu allegedly operated as a contract hacker for the MSS’s Shanghai State Security Bureau, conducting intrusions between February 2020 and June 2021 while employed at Shanghai Powerock Network Co., Ltd., described by prosecutors as one of multiple front companies used to carry out hacking on behalf of the Chinese government. The DOJ alleges that MSS officers directed Xu’s operations.

The indictment links Xu to the Silk Typhoon hacking group, also known as Hafnium, which exploited vulnerabilities in internet-facing systems to gain initial access, performed internal reconnaissance, deployed malware, and exfiltrated data. Alleged targets include COVID-19 research organizations, where attackers sought data on vaccines, treatments, and testing. Xu and co-conspirators are also alleged to have exploited Microsoft Exchange Server zero-day vulnerabilities beginning in late 2020, deploying web shells that enabled mailbox access, lateral movement, and data exfiltration across thousands of organizations globally before patches were fully available.

Xu faces multiple counts related to computer intrusions and conspiracy.

Who is affected

The confirmed victim categories include COVID-19 research organizations and the broad population of organizations running vulnerable Microsoft Exchange Server instances during the 2020 to 2021 period, which numbered in the thousands globally. The Exchange exploitation campaign was widespread enough to constitute a mass-scale intrusion event rather than targeted individual operations.

Why CISOs should care

The Xu extradition is one of the clearest public illustrations of how Chinese state-sponsored cyber operations are structured. MSS officers direct operations, contracted hackers execute them through nominally private companies, and the arrangement provides the Chinese government with plausible distance from the activity. That model has been documented across multiple prosecutions now and is well established enough to inform how organizations should think about the threat.

The Exchange zero-day exploitation at the center of this case also remains relevant. Organizations that ran Exchange Server during that window and have not conducted a thorough post-incident forensic review should consider whether persistent access from that period was ever fully remediated.

3 practical actions

1. Review Exchange Server forensic history for organizations that ran on-premises Exchange during 2020 to 2021: The Hafnium Exchange exploitation campaign was one of the most widespread intrusion events of that period. Organizations that have not conducted a thorough review of web shell deployment, mailbox access, and lateral movement activity from that window should do so, particularly if sensitive research, government, or defense data was held in those environments.
2. Map your organization’s threat model against MSS-linked group targeting patterns: Silk Typhoon and related MSS-affiliated groups have consistently targeted healthcare research, defense, government, and technology sectors. Security leaders in these industries should ensure their detection and hunting capabilities are calibrated for the TTPs associated with this cluster of activity.
3. Track contractor and front company indicators in threat intelligence programs: The use of nominally private companies like Powerock as operational fronts is a documented pattern across multiple Chinese APT prosecutions. Threat intelligence programs should include tracking of known MSS contractor infrastructure and indicators, not just the technical TTPs of the hacking groups themselves.

Also in the news today:

• Robinhood Account Creation Flaw Abused to Send Phishing Emails
• GlassWorm Malware Attacks Return via 73 OpenVSX Sleeper Extensions
• PyPI Package With 1.1M Monthly Downloads Hacked to Push Infostealer
• Medtronic Confirms Breach After Hackers Claim 9 Million Records Theft
• Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
• FTC: Americans Lost Over $2.1 Billion to Social Media Scams in 2025
• Canada Arrests Three for Operating SMS Blaster Device in Toronto