In what may be a first-of-its-kind operation, the FBI recently accessed private servers across the United States, ostensibly to delete malware that had previously been installed by foreign hackers.
The FBI targeted this unique digital clean-up at servers running the vulnerability-ridden email product Microsoft Exchange. The U.S. Justice Department said Tuesday that the purpose of the bureau’s operation was to digitally erase traces of web shells that, had they remained, “could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”
The security flaws plaguing Microsoft’s product are well known and we’ve covered them quite extensively. Since the company’s disclosures about Exchange’s vulnerabilities in early March, hackers have swarmed exposed servers all over the world to pilfer data and conduct ransomware attacks.
Out of all the groups involved, the China-based group called “HAFNIUM” seems to have concerned American authorities the most. The group, which has used web shells as backdoors into U.S. networks, is said to have aggressively targeted Exchange for email theft and data exfiltration.
A federal affidavit unsealed Tuesday strongly implies that the goal of the FBI’s operation was to remove malware specifically deployed by HAFNIUM. While the Justice Department does not explicitly name HAFNIUM (referring only to “one early hacking group” as the target of the investigation), it is the only threat actor explicitly mentioned in the FBI affidavit.
A DOJ press release notes:
“Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated.”
The operation seems to have been strictly targeted at this one particular campaign, as the feds did not “search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells,” the release says.
This may be the first time that the FBI has conducted an operation like this, TechCrunch reports. For years, the bureau has sought greater powers and authority when it comes to conducting digital investigations inside the U.S., though critics and civil liberties defenders have consistently fought against such encroachments into private servers.