Xu Zewei, a 34-year-old Chinese national attributed by US prosecutors and intelligence officials to the Silk Typhoon APT group — formerly designated Hafnium by Microsoft — has been extradited from Italy to face charges in the Eastern District of Virginia. The extradition, completed April 28, 2026 following Xu’s arrest in Milan in November 2025, represents the first successful custodial transfer of a Silk Typhoon operator to US jurisdiction and the most significant individual accountability action against a Chinese MSS-affiliated hacking group since the 2014 PLA Unit 61398 indictments.
Background and Attribution
Silk Typhoon (formerly Hafnium) is assessed by Microsoft, NSA, and Five Eyes intelligence agencies as operating under the direction of the Chinese Ministry of State Security (MSS), specifically the MSS Shanghai Bureau’s cyber operations division. The group gained international attention in March 2021 for exploiting four Microsoft Exchange Server zero-days (ProxyLogon) to compromise over 250,000 servers globally, including US government agencies, defence contractors, law firms, and infectious disease research institutions.
US prosecutors allege that Xu Zewei participated in subsequent Silk Typhoon operations targeting:
- COVID-19 vaccine research (2020–2021): Intrusions into US, UK, and German pharmaceutical companies and research institutions during active vaccine development — timed to align with Chinese state interests in accelerating domestic vaccine programmes.
- Defence contractor IP theft (2021–2024): Sustained intrusions into US defence industrial base companies via compromised Exchange and SharePoint servers, including two companies with classified programme support roles.
- Financial sector reconnaissance (2024–2025): Persistent access to financial institutions’ treasury management systems, consistent with pre-positioning for potential economic disruption.
Significance of the Extradition
Legal accountability mechanism: Previous US indictments of Chinese state hackers — including the 2014 PLA Unit 61398 indictments and the 2020 MSS Chengdu Bureau charges — resulted in sealed indictments that carried symbolic weight but no prospect of arrest. Xu’s detention in Italy, facilitated through a US-Italy Mutual Legal Assistance Treaty (MLAT) request, demonstrates that Chinese cyber operators who travel internationally now face meaningful arrest risk.
Intelligence value: Extradited defendants provide direct human intelligence on operational procedures, tasking structures, and MSS cyber programme organisation. Xu’s cooperation — or lack thereof — will be observed closely by intelligence officials assessing the calculus of future China-nexus operator international travel.
Deterrence signal: The extradition arrives as part of a broader US Department of Justice “Disrupt, Deter, Defend” posture against state-sponsored cyber operations. Combined with the April 7 DOJ court-authorised disruption of APT28’s Operation Masquerade router network, the action signals a shift from symbolic indictments toward operational disruption and custodial accountability.
What This Means for Enterprise Defenders
For security operations teams, the extradition and associated court filing disclosures provide fresh threat intelligence on Silk Typhoon’s tradecraft:
Exchange and SharePoint remain primary vectors: The indictment describes Silk Typhoon’s continued reliance on Exchange Server and SharePoint vulnerabilities as initial access vectors through 2025 — including CVE-2026-32201 (the pre-auth SharePoint RCE covered in our April Patch Tuesday report). Organisations running on-premises Exchange or SharePoint should treat these as actively targeted and audit their patch status and exposure.
Long-term persistence via web shells: Silk Typhoon’s operational pattern involves deploying web shells on Exchange and SharePoint servers as persistent access mechanisms, often surviving server reboots and patch cycles if the web shell is not explicitly removed. Defenders should review web-accessible directories for unfamiliar .aspx and .ashx files, particularly in Exchange \OWA and \ECP paths.
Defence contractor and healthcare targeting: Organisations in the US defence industrial base or pharmaceutical sector should treat Silk Typhoon as an active threat. The indictment confirms sustained multi-year campaigns with significant dwell time — detection gaps, not prevention failures, were the primary enabler.
Share this article