The extradition to the United States from Italy of Xu Zewei, accused of belonging to the group of hackers known in the press as Silk Typhoon and linked by the authorities to operations led by the Shanghai State Security Office (SSSB) of the Ministry of Security of the State of China, again focuses on an already known but increasingly complex reality: the mix between geopolitan-wide, private companies that act as "enhancers" and the direct impact on sensitive research, universities and public agencies.
According to the prosecution, the facts attributed to Xu include attacks between February 2020 and June 2021, including gaps in the Belgian university systems to remove information on COVID-19 vaccines and the exploitation of critical vulnerabilities in Microsoft Exchange Server that allowed the implementation of web shells for remote administration. These vulnerabilities, publicly documented as part of the fault chain exploited by the actor traced by Microsoft as Hafnium they caused a massive mitigation response in early 2021 and remain a case study on how a single vector can affect thousands of organizations. More technical details on these failures are available in the vulnerability register (CVE) and in Microsoft's analysis of the Hafnium campaign: CVE-2021-26855 and Microsoft report on Hafnium.
From the legal and diplomatic point of view, extradition from Italy - where the accused was arrested while on vacation - underlines the capacity for international cooperation in cases of cybercrime with state implications, but also opens questions about evidence, right of defence and risk of politicization. Xu has denied his participation and his lawyer confirmed that he pleaded not guilty; the presumption of innocence and the scrutiny of evidence will be key to not becoming a political indictment.
For the academic sector and research organizations, the lesson is clear: biomedical research and academic infrastructure are high-value objectives for actors seeking strategic advantage. Protecting these environments requires not only patches and updates - essential after incidents such as Exchange - but sustainable measures over time: network segmentation, strict control of remote access, verified backup and protocols for the management of credentials and third-party access. In practical terms, the technical recommendations that resonated after the 2021 wave of explosions remain in place and must be part of the governance of institutional cybersecurity.
Beyond technical measures, there are political and economic implications: using national companies for covert operations complicates the attribution and lower the threshold between intelligence activities and criminal offences, causing diplomatic tensions and potential policy or punitive reprisals. The international community and policy makers must balance the punitive response with mechanisms that reduce the scale and impact of these operations, including transparency agreements on security of critical infrastructure and channels of judicial and police cooperation.
If you manage critical systems or sensitive research, act now: make sure that the mail servers and collaboration platforms are first-time, active multifactor authentication in all management accounts, deployment of anomalies and search for commitment indicators related to web shells, and coordinate with local authorities and security providers on any suspicion of intrusion. For individual users, keeping up-to-date software, using password and MFA managers, as well as monitoring official incident communications, reduces the risk of being a vector of a major attack.
The case of Xu Zewei will be, in addition to a criminal procedure, an indicator of how international responses to the covert cyberwar are evolving: if extradition ends in conviction, it could strengthen cooperation and pressure on networks that act as providers of offensive capacity; if the defence is able to dismiss attribution, it will serve as a reminder of the evidentiary difficulties in state-sponsored attacks. Meanwhile, the combination of technical surveillance and prudent public policies is the best defence to mitigate the damage these campaigns can cause in research, business and citizens.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...