A highly coordinated cyberattack carried out by Chinese government-backed hackers has exposed major weaknesses in global cybersecurity, focusing on COVID-19 research at American universities and exploiting Microsoft Exchange servers across the globe.
The U.S. Justice Department recently announced the arrest of one of the key individuals involved, marking a breakthrough in efforts to combat state-sponsored cyber espionage.
Xu Zewei, a 33-year-old Chinese citizen, was arrested in Milan, Italy, on July 3, 2025, following a request for extradition by the United States. This marks one of the first instances in which the FBI has successfully apprehended a hacker linked to Chinese intelligence. Xu is facing a nine-count indictment along with another suspect, Zhang Yu, who is still at large.
The charges against Xu include conspiracy to commit wire fraud, unauthorized access to protected computers, intentional damage to protected systems, and identity theft. If convicted, he could receive a sentence of up to 77 years in prison.
Targeting COVID-19 Research
Between February 2020 and June 2021, Xu and his team carried out a deliberate campaign to steal vital COVID-19 research from U.S. institutions.
Working under the authority of China’s Ministry of State Security (MSS) and the Shanghai State Security Bureau (SSSB), the hackers targeted American universities, virologists, and immunologists involved in vaccine and treatment development.
According to court filings, Xu informed his SSSB contact on February 19, 2020, that he had successfully breached the network of a research university in southern Texas. Three days later, he was instructed to focus on email accounts of researchers working on COVID-19, and later confirmed he had accessed their mailboxes.
The HAFNIUM Operation
By late 2020, the attackers expanded their efforts by exploiting previously unknown flaws in Microsoft Exchange Server, launching what came to be known as the “HAFNIUM” campaign.
This operation made use of four serious vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), enabling hackers to gain deep access to systems.
More than 60,000 U.S. organizations were compromised, with over 12,700 confirmed victims. These included universities, defense contractors, legal firms, and various government agencies.
The hackers installed web shells on infected servers, giving them remote access and allowing further movement across networks to collect more data.
By March 2021, around 250,000 servers around the world had been affected. High-profile targets included the European Banking Authority, Norway’s Parliament, and Chile’s financial regulator.
Although Microsoft released emergency patches on March 2, 2021, the breaches had already spread widely. The FBI and CISA issued a joint warning urging organizations to check their systems.
In April 2021, the Justice Department carried out a court-approved operation to remove malicious web shells from hundreds of compromised computers in the U.S.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
