"According to court documents, officers of the PRC's Ministry of State Security's (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking," the DOJ said.
DOJ extradites Xu Zewei from Milan to face U.S. charges
A Chinese national, Xu Zewei, has been extradited from Italy to the United States to face criminal charges accusing him of carrying out cyberespionage operations on behalf of China's intelligence services, the Department of Justice announced. According to the DOJ, Xu was arrested in Milan in 2025 at the request of U.S. authorities and is expected to appear in federal court, where he faces multiple counts related to computer intrusions and conspiracy.
Alleged campaign timeline and targets: February 2020 to June 2021; COVID-19 research
The indictment links Xu to a coordinated intelligence-gathering campaign carried out between February 2020 and June 2021. U.S. prosecutors say the intrusions targeted organizations conducting COVID-19 research, with attackers allegedly seeking data on vaccines, treatments, and testing. The DOJ’s description frames these breaches as deliberate efforts to obtain scientific and public-health information during the pandemic period.
Microsoft Exchange Server zero-days and web shells
Prosecutors allege Xu and co-conspirators exploited Microsoft Exchange Server zero-day vulnerabilities beginning in late 2020 as part of a widespread campaign to compromise email servers and gain access to victim networks. After breaching vulnerable Exchange servers, the attackers reportedly deployed web shells that permitted mailbox access, lateral movement inside networks, and exfiltration of data. The DOJ notes that the widespread exploitation led to global incidents impacting thousands of organizations before patches were fully available.
Silk Typhoon (Hafnium) attribution and the role of Powerock
The indictment associates Xu with attacks attributed to the Silk Typhoon hacking group, also known as Hafnium. According to the DOJ, Silk Typhoon operators exploited internet-facing systems to gain initial access, then performed reconnaissance, deployed malware, and stole data from victim networks. Prosecutors further allege Xu and a co-defendant operated as contracted hackers under the direction of MSS officials and that when Xu carried out the intrusions he worked for a company named Shanghai Powerock Network Co., Ltd. (Powerock). The DOJ described Powerock as one of many firms used to carry out hacking operations on behalf of the Chinese government.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: The charges underscore the threat posed by exploitation of internet-facing services and the speed with which web shells and lateral-movement techniques can be used after initial compromise. Teams running Microsoft Exchange Server and similar mail infrastructure will prioritize verifying patches, hunting for web shells, and reviewing historical logs for signs of late-2020 intrusions.
- Policymakers and regulators: The DOJ’s public attribution that officers of the MSS Shanghai State Security Bureau directed the activity places state-directed espionage at the center of legal and diplomatic measures. Extradition from Italy and a U.S. prosecution signal a willingness to pursue cross-border law enforcement responses to alleged intelligence-linked cyber activity.
- Affected enterprises and procurement leaders: Organizations whose networks hosted Exchange servers or who conducted COVID-19-related research are singled out by the indictment. They will need to reconcile incident response histories from the relevant period (February 2020–June 2021) with forensic findings and any disclosures prompted by the DOJ’s allegations.
Xu’s extradition and the details set out in the indictment crystallize the U.S. criminal case: alleged MSS direction, use of a commercial front (Powerock), exploitation of zero-day Exchange vulnerabilities, deployment of web shells, and targeting of pandemic-related research. Xu faces multiple counts in federal court; the public record now documents a specific, time-bounded campaign and the legal pathway the United States has taken to hold an individual accountable.
Source: BleepingComputer — Alleged Silk Typhoon hacker extradited to US for cyberespionage
