Skip to main content
Threat IntelligenceEmerging Threats

China Hacker Extradited Over Silk Typhoon Cyber Attacks

Person walks into a courtroom with a blurred government seal in the background.

More than 12,700 U.S. organizations were affected, according to the FBI — a number that frames the scale of a campaign U.S. prosecutors now say was driven, in part, by agents of a foreign intelligence service.

Xu Zewei extradited to the United States; charges and Houston court appearance

The Department of Justice reported that Xu Zewei, a 34-year-old Chinese national, was extradited to the United States and appeared in federal court in Houston over the weekend. Xu is charged in connection with a series of intrusions between February 2020 and June 2021. Prosecutors have filed counts including wire fraud, unauthorized access to protected computers, and identity theft — each charge carrying a potential sentence of two to 20 years in prison. The DoJ also noted that a co-defendant, Zhang Yu, remains at large.

Alleged direction from the Ministry of State Security and use of a private contractor

Court filings allege Xu acted under the direction of China’s Ministry of State Security (MSS), including the MSS’s Shanghai branch. Prosecutors say Xu worked through Shanghai Powerock Network Co. Ltd., described in filings as a private contractor that operated within a broader ecosystem used to obscure government involvement in cyber operations. The indictment, and statements attributed to U.S. officials in the filings, portray these contractor networks as operating with both state direction and financial incentives — collecting a wide set of data that could be useful to government intelligence or sold onward if not directly valuable.

Targeting COVID-19 researchers: the February 2020 intrusion into a Texas university

Investigators say the earliest activities attributed to Xu focused on U.S. universities and researchers engaged in pandemic-related science. In February 2020, according to prosecutors, Xu accessed a Texas university network and was later instructed to extract emails belonging to virologists and immunologists studying COVID-19. Authorities allege the mailbox data taken included sensitive research related to vaccines, treatments, and testing. The filings state that MSS officers directed targeting priorities and received updates on compromised systems.

Silk Typhoon (also tracked as Hafnium), Exchange Server exploitation, and persistent access

Later in 2020, prosecutors allege the operation expanded to exploit vulnerabilities in Microsoft Exchange Server. Microsoft publicly disclosed the campaign in March 2021 under the label Hafnium; U.S. authorities and the indictment use the name Silk Typhoon as well. The FBI has said the campaign affected more than 12,700 U.S. organizations. Attackers reportedly deployed web shells on compromised servers to maintain persistent remote access and to exfiltrate data. Even after Microsoft released patches, prosecutors said hundreds of systems remained exposed. Among the alleged victims were another U.S. university and a global law firm; filings state attackers searched stolen emails for references to U.S. policymakers and agencies using search terms tied to Chinese intelligence interests.

What this means for U.S. universities, a global law firm, and security teams

  • U.S. universities: Institutions named in the filings will likely reassess how research mailboxes and collaborative systems were protected during the pandemic period; prosecutors’ allegations that attackers sought virologists’ and immunologists’ mailboxes underscore the risks to academic research data during public-health emergencies.
  • A global law firm: The inclusion of a multinational law firm among alleged victims highlights the potential for reputational and client-data exposure when web shells or similar persistent access are left unremediated after vendor patches are released.
  • Security teams: The case underscores a recurring operational pattern described in the indictment — state-directed targeting coordinated through private contractors, use of web shells for persistence, and continued exposure after patches — all factors that security teams cited in court filings and agency statements must now factor into threat assessments and incident response planning.

The DoJ’s filing paints a portrait of a campaign mixing government direction and commercial actors, and of attacks that ranged from targeted searches of researchers’ mailboxes to broad exploitation of server vulnerabilities. U.S. authorities emphasize that the allegations in the indictment remain unproven and that the defendant is presumed innocent unless found guilty in court. Xu’s extradition and initial appearance in Houston mark the opening of a legal chapter that will test how the evidence laid out in those filings holds up in federal court.

Source: Infosecurity Magazine — Chinese National Extradited Over Silk Typhoon Cyber Campaign