An FBI operation that attempted to stop attacks by the “Hafnium” group and others on Microsoft Exchange servers earlier this year was revealed in a press release on Monday.
Microsoft discovered a new Chinese state-sponsored hacking group called Hafnium in March, which was targeting Exchange servers on company networks. When the four flaws were linked together, the hackers were able to break into a weak Exchange server and steal its contents.
The bugs were patched by Microsoft, but the fixes did not close the backdoors on the servers that had already been hacked. Within days, other hacker groups started using the same bugs to infect compromised servers with ransomware.
A Houston court has ordered the FBI to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers across the country, months after hackers exploited four previously unknown vulnerabilities to target thousands of networks.
The FBI specifically attacked Hafnium’s shells (as outlined in court filings), locating them on a server in the United States, remotely accessing them using the attacker’s own passwords, and executing a command to make them uninstall themselves, thwarting the group’s plans.
The FBI’s request for a search warrant required it to carry out this operation while notifying server administrators. On April 9th, it was granted permission to operate the operation for up to 14 days, as well as the ability to postpone updates for up to 30 days.
“This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells,” according to the Justice Department.
Before the FBI started its remote Hafnium backdoor removal activity, the FBI claims that thousands of devices were patched by their owners, and that it only removed “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”
The FBI is now sending emails to server owners, and “attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells.”
The operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant attorney general John C. Demers.
This is claimed to be the first time the FBI has successfully cleaned up private networks following a cyberattack. The Supreme Court ruled in 2016 that federal judges may grant search and seizure warrants outside of their jurisdiction. Critics objected at the time, claiming that the FBI would ask a friendly court to sanction cyber-operations anywhere on the planet.
While we are not aware of any precedent for the FBI acting on privately owned servers after they have been attacked, a reporter points out that the FBI dealt with the Coreflood botnet in 2011 by sending a command to an infected machine to shut it down, also with a court order. Beyond this statement, neither the Justice Department nor Microsoft have publicly commented on the operation.