The government got a judge to authorize the effort to remove malicious code from the Exchange Server hack.
Early this year, a group of hackers associated with the Chinese government, known as Hafnium, exploited a vulnerability in Microsoft’s Exchange Server. The attack allowed them to gain access to over 60,000 servers, including those of major corporations and banks.
This attack is separate from the SolarWinds hack that affected thousands of customers last year through a backdoor vulnerability in the company’s software. In that case, a Russian group was able to piggyback on SolarWinds’ software, which–when installed via an update on client networks–allowed the hackers to deploy malicious code. In that case, Microsoft worked with Fire Eye to cut off the attack by sink-holing the domain used to receive further instructions.
This attack was different, in that it took advantage of a known security flaw that affected on-premises exchange servers. Known as a zero-day attack, hackers were able to exploit the vulnerability without any interaction from the user, and without them knowing that malicious code had been placed on the server. The breach was so widespread that the Biden administration called for a “whole of government response.”
It appears Microsoft was first notified of the problem in January, but did not release a patch until March. That was also the first time the issue was acknowledged publicly. During that time, hackers had access to sensitive information at thousands of companies, government agencies, and other organizations.
Since then, many were able to patch the flaw and remove malicious code, known as web shells. Some users, however, had yet to mitigate the attack. Even if they had installed the patch, the government said that a few hundred organizations had not removed the web shells from infected servers.
That left them vulnerable not only to the original hackers–but once the backdoor became public–to other groups that took advantage of the same exploit.
In a statement, the Department of Justice said:
Throughout March, Microsoft and other industry partners released detection tools, patches and other information to assist victim entities in identifying and mitigating this cyber incident. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency released a Joint Advisory on Compromise of Microsoft Exchange Server on March 10. Despite these efforts, by the end of March, hundreds of web shells remained on certain United States-based computers running Microsoft Exchange Server software.
Now, with the blessing of a Federal Court in Houston, Texas, the Federal Bureau of Investigation is using the same set of tools the hackers used, and is accessing servers to remove malicious code. In most cases, this is happening without the knowledge or awareness of the server’s owner.
I think it’s fair to say that this is unprecedented. The federal government isn’t usually allowed to hack in and remove content from a computer network. I’m not suggesting that what they did was illegal–it clearly wasn’t, hence the order from a judge. It does reveal that the federal government has extraordinary capabilities when it comes to cybersecurity.
The agency used an Australian firm, Azimuth, to develop a way to access the device at the center of a huge battle between Apple and federal law enforcement.
In this case, the government felt that the risk of further compromise for the companies involved warranted drastic action. “This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cybercriminals,” said Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas.
Essentially, the government is suggesting that if companies won’t take steps to protect their network and eliminate cyber threats, it’s willing to step in and flex its own cyber muscles. That means if you’d like to keep the FBI out of your business in the future, keep the backdoor closed.