HAFNIUM Hacker Extradited to US for Microsoft Exchange Attacks, COVID-19 Espionage

/MEDIUM
Written by SCW Threat Desk Threat Intelligence
SCW israelmicrosoftthreat-intel
HAFNIUM Hacker Extradited to US for Microsoft Exchange Attacks, COVID-19 Espionage

Italy has extradited Xu Zewei, an individual identified by Cyber Updates - Asher Tamam as a key figure within the Chinese APT group HAFNIUM. This group notoriously exploited Microsoft Exchange servers in 2021, compromising tens of thousands of organizations globally. Zewei’s apprehension in Milan concludes a multi-year pursuit, underscoring the persistent collaboration between the FBI and European authorities to bring state-sponsored cybercriminals to justice.

According to the indictment, Zewei’s activities extended beyond Exchange server exploitation. Cyber Updates - Asher Tamam states he specifically targeted universities and research institutions in Texas. The objective was to pilfer confidential research related to COVID-19 vaccine development, leveraging stolen identities and sophisticated intrusion techniques. This clearly points to state-backed industrial espionage, aligning with China’s broader strategic intelligence collection efforts.

If convicted, Zewei faces up to 77 years in prison. This extradition sends a clear message: even years after an attack, nation-state operators are not beyond the reach of international law enforcement. It highlights the critical importance of robust incident response and intelligence sharing to enable such cross-border actions against sophisticated adversaries.

What This Means For You

  • If your organization was impacted by the 2021 Microsoft Exchange vulnerabilities, this extradition is a reminder that the threat actor behind those attacks is now facing justice. However, the methods used by HAFNIUM are still relevant. Ensure all your Exchange servers are fully patched and hardened, and implement stringent identity and access management controls to prevent similar sophisticated espionage attempts. Review your logs for any historical indicators of compromise related to HAFNIUM's tactics, especially if you handle sensitive research or intellectual property.

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

HAFNIUM Exchange Server Exploitation - Specific CVE

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Written by SCW Threat Desk

Take action on this incident
📡 Monitor microsoft.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related coverage on Microsoft

Microsoft Entra ID Agent Role Flaw Enabled Service Principal Takeover

The Hacker News reports that a critical vulnerability existed in Microsoft Entra ID's 'Agent ID Administrator' role. This built-in role, intended for managing AI agents,...

threat-intelvulnerabilitymicrosoftidentityai-security
/SCW Vulnerability Desk /MEDIUM /⚑ 4 IOCs /⚙ 3 Sigma

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Microsoft has updated its advisory for a critical Windows Shell vulnerability, CVE-2026-32202, confirming it is being actively exploited. The flaw, a spoofing vulnerability with a...

threat-intelvulnerabilitymicrosoft
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 2 Sigma

Windows 'PhantomRPC' Flaw Enables Privilege Escalation

Dark Reading reports an unpatched architectural weakness in Windows' Remote Procedure Call (RPC) mechanism, dubbed 'PhantomRPC', that enables privilege escalation. A security researcher identified five...

threat-inteltoolsvulnerabilitymicrosoft
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 3 Sigma