Chinese Hacker Extradited Over HAFNIUM‑Based Espionage Targeting COVID‑19 Research
What Happened – Chinese national Xu Zewei was extradited from Italy to the United States and charged for a state‑sponsored cyber‑espionage campaign that leveraged the HAFNIUM Microsoft Exchange Server exploits to infiltrate thousands of computers worldwide, stealing COVID‑19 vaccine and treatment research. The operation also compromised U.S. universities, a law firm with global offices, and other entities.
Why It Matters for TPRM –
- State‑backed actors can use known vulnerabilities to harvest sensitive R&D from third‑party vendors and partners.
- Supply‑chain reliance on unmanaged or opaque service providers (e.g., Shanghai Powerock Network) creates hidden exposure.
- Successful exploitation of legacy Exchange servers demonstrates the ongoing risk of unpatched infrastructure in partner environments.
Who Is Affected – Higher‑education institutions, research labs, legal services, and any organization that hosted vulnerable Microsoft Exchange servers.
Recommended Actions –
- Verify that all third‑party vendors have applied the 2021 Exchange security patches and maintain a patch‑management audit.
- Conduct a supply‑chain risk review of any contractors or service providers with ties to foreign state actors.
- Implement continuous monitoring for web‑shell activity and anomalous remote‑admin sessions on email servers.
Technical Notes – The attackers exploited CVE‑2021‑26855 and related Exchange proxy‑logon flaws to install persistent web shells, then used stolen credentials to exfiltrate research data. The campaign is linked to the broader HAFNIUM espionage group directed by China’s Ministry of State Security. Source: Help Net Security