Chinese national extradited to US over Silk Typhoon hacking campaign

A Chinese national accused of hacking US universities, COVID-19 researchers, and a global law firm under the direction of China's intelligence services has been extradited from Italy to face charges in a federal Houston court.

What happened

Xu Zewei, 34, appeared in US District Court in Houston on a nine-count indictment covering computer intrusions carried out between February 2020 and June 2021. Prosecutors allege he acted under the direction of China's Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB), and operated through a private contracting company, Shanghai Powerock Network Co. Ltd. The intrusions include attacks on US universities and COVID-19 researchers during the height of the pandemic, as well as exploitation of Microsoft Exchange Server vulnerabilities as part of the Silk Typhoon campaign. His co-defendant, Zhang Yu, 44, also a PRC national, remains at large. Xu was arrested in Milan and extradited to the US with the assistance of Italian law enforcement.

The backstory

In March 2021, Microsoft publicly disclosed an intrusion campaign by state-sponsored hackers operating out of China, known as HAFNIUM, now also tracked as Silk Typhoon. Microsoft and industry partners released detection tools, patches, and guidance to help affected organizations respond. On March 10, 2021, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on the compromise of Microsoft Exchange Server. Despite these efforts, hundreds of web shells remained on vulnerable US-based systems by the end of that month.

Going deeper

The attacks unfolded in two distinct phases. In early 2020, Xu and co-conspirators targeted US universities and researchers working on COVID-19 vaccines, treatments, and testing. SSSB officers directed specific targeting, including identifying which researchers' email accounts to access. Xu confirmed successful intrusions to his handlers and delivered stolen mailbox contents on request.

Starting in late 2020, the operation shifted toward exploiting vulnerabilities in Microsoft Exchange Server. Xu and his co-conspirators installed web shells on compromised servers, allowing persistent remote access. Among the victims were a Texas university and a global law firm. Stolen emails were searched using terms including "Chinese sources," "MSS," and "HongKong," suggesting the operation was gathering intelligence on US policymakers and agencies.

What was said

Assistant Attorney General for National Security John A. Eisenberg said, "The United States is committed to pursuing hackers who steal information from U.S. businesses and universities and threaten our cybersecurity," adding that he commended the prosecutors and investigators who worked on the case for years.

Acting US Attorney John G.E. Marck for the Southern District of Texas noted the significance of the charges, saying the case involved crimes that "struck at the heart of American science and security." He added that his office had "pursued this moment across years and continents," and that the message sent by the extradition is the same as when the indictment was first unsealed, "we will work to protect the American people."

FBI Cyber Division Assistant Director Brett Leatherman said the extradition demonstrates that the bureau's reach extends beyond US borders. He noted that Xu would now answer for his alleged role in HAFNIUM, describing the campaign as responsible for compromising more than 12,700 US organizations under the direction of China's Ministry of State Security. Leatherman also warned that others operating in the same way "face the same risk," and thanked Italian law enforcement for their partnership in securing Xu's arrest in Milan.

In the know

A web shell is a malicious script that attackers upload to a compromised web server, giving them persistent remote access. Once installed, a web shell allows hackers to execute commands, move through a network, and exfiltrate data. In the HAFNIUM campaign, web shells served as backdoors that kept US systems exposed even after Microsoft released fixes. This is why hundreds of organizations remained vulnerable weeks after the public disclosure.

The MSS contractor model refers to the PRC's documented practice of directing private Chinese technology companies to conduct offensive cyber operations on behalf of state intelligence services, allowing the government to obscure its direct involvement.

Why it matters

This case is notable because stealing COVID-19 research did not just benefit Chinese intelligence, it potentially slowed or complicated the global scientific response during a public health emergency.

Since these groups operate by harvesting anything and selling what the government doesn't want, the secondary market for stolen data creates risks besides the original espionage target. Healthcare organizations, universities, and law firms that were never the primary intelligence target can still end up with their data circulating among criminal buyers.

The bottom line

The Silk Typhoon campaign shows that state-sponsored cyber operations go between espionage, commercial crime, and public health risk. The extradition of Xu Zewei, years after the original intrusions, signals that the US intends to pursue these cases regardless of timeline or geography. Organizations should audit for dormant web shells, review incident response plans for Exchange Server environments, and treat research data, including email, as high-value protected information.

FAQs

What is the Silk Typhoon hacking group?

Silk Typhoon (also tracked as HAFNIUM) is a Chinese state-sponsored cyber espionage group attributed to China's Ministry of State Security.

How does the MSS contractor model work?

China's Ministry of State Security directs private Chinese technology companies to conduct hacking operations on its behalf, allowing the government to maintain plausible deniability.

What is a web shell and why is it dangerous?

A web shell is a malicious script planted on a compromised server that gives attackers persistent remote access, meaning they can continue to operate inside a network long after the original vulnerability has been patched.