Chinese State‑Backed Hacker Extradited to U.S. Over Massive Microsoft Exchange Zero‑Day Campaign
What Happened – A 34‑year‑old Chinese national, identified as Xu Zewei and alleged member of the Hafnium “Silk Typhoon” group, was extradited from Italy to the United States. He faces federal charges for a 2020‑2021 campaign that leveraged previously unknown vulnerabilities in Microsoft Exchange Server to infiltrate more than 60 000 U.S. organizations.
Why It Matters for TPRM –
- State‑sponsored actors continue to weaponize zero‑days against a broad set of critical‑infrastructure and research entities.
- The case highlights the legal risk of third‑party vendors that may be covertly linked to foreign intelligence services.
- Ongoing investigations can surface hidden supply‑chain exposures that affect downstream customers.
Who Is Affected – Defense contractors, law firms, think tanks, universities and other research institutions that run internet‑facing Microsoft Exchange servers.
Recommended Actions –
- Verify that any third‑party service provider (e.g., managed email, cloud hosting) has no ties to sanctioned entities.
- Conduct a rapid Exchange Server inventory and apply all Microsoft security patches, including the 2021 zero‑day mitigations.
- Review incident‑response contracts for state‑actor attribution and ensure legal‑hold procedures are in place.
Technical Notes – The Silk Typhoon campaign exploited a chain of zero‑day vulnerabilities in Microsoft Exchange Server (CVE‑2021‑26855, CVE‑2021‑26857, CVE‑2021‑26858, CVE‑2021‑27065). Attackers gained persistent access, enabling credential theft and data exfiltration. Source: Bitdefender Blog