Revealed: Secret FBI Cyber Op To Clean Exchange Servers

WASHINGTON: The FBI carried out a “court-authorized operation” in recent days to remove web shells from hundreds of US computers running Microsoft Exchange server software, the Department of Justice announced as it unsealed a search warrant that permitted the operation.

“The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells,” the DoJ said. Web shells are malicious scripts uploaded to servers that give attackers remote administrative control.

The web shells are part of an extensive cyber campaign conducted over recent months by foreign government and cybercriminal elements, one with significant national security implications — from cyberespionage to ransomware and potentially destructive cyberattacks.

This operation — which involved the FBI removing malware from privately owned and operated victim servers without advance notice — could be unprecedented, at least at this scale.

The unsealed application for the search warrant that authorized the operation notes the legal basis included “evidence of a crime; contraband, fruits of crime, or other items illegally possessed; and property designed for use, intended for use, or used in committing a crime.”

Breaking Defense reached out to several legal experts for comment on the matter, but did not hear back by publication.

The FBI and the Cybersecurity and Infrastructure Security Agency have been asking anyone affected by the massive cyberespionage and criminal campaign to contact them for help. The entities whose servers were cleaned during the FBI operation did not know about it ahead of time.

The Motion to Partially Unseal Search Warrant and Related Documents says now that the FBI operation has concluded, the search warrant can be unsealed and the affected entities notified.

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Assistant Attorney General John C. Demers for the Justice Department’s National Security Division said.

The FBI’s operation targeted web shells that were dropped on compromised Microsoft Exchange servers during a widespread cyber campaign first discovered by US companies in January. Microsoft disclosed in early March the four zero-day vulnerabilities being exploited in Exchange server software. Microsoft and CISA subsequently released detection tools, extensive information, and patches.

This set off a mad dash between multiple threat actors seeking to exploit the four zero days and entities trying to patch the vulnerabilities before they could be exploited. Microsoft and others have implicated a previously unknown Chinese group, HAFNIUM, as the original threat actor in the campaign. But in the days leading up to and since Microsoft’s disclosure, many other attackers began exploiting the zero days — to include installing the web shells to provide persistent access for follow-on attacks.

Despite available patches, tools, and information, the DoJ said, “by the end of March, hundreds of web shells remained on certain U.S.-based computers running Microsoft Exchange server software. Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

It’s unclear whether the entities whose servers were cleaned in the FBI operation knew about the ongoing malicious cyber campaign at all, simply ignored it, or whether they didn’t have the in-house technical expertise to properly administer the Exchange software, which is downloaded to on-premise servers.

DoJ appears to think the latter: “Because the web shells the FBI removed today each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells.”

The unsealed affidavit in support of the search warrant contains two important points: First, the removed web shells were installed on victim servers before March 2 — the day Microsoft disclosed the zero days — which makes it highly likely they are associated with HAFNIUM, by timing if not also by stronger forensic evidence.

Second, the FBI’s requested actions were limited strictly to copying the web shells for evidence and then deleting them from victim servers. The FBI did not ask to conduct any other action(s) on the victim servers.

The unsealed affidavit also notes that the FBI tested the copy and removal process — commands executed on the servers — in its own environment and consulted outside expertise to ensure its operation would not interfere with any other part or aspect of the victim server.

The FBI applied for — and the court granted on April 9 — a sealed search warrant that had a box checked next to the statement: “Pursuant to 18 U.S.C. 3103a(b), I find that immediate notification may have an adverse result listed in 18 U.S.C. 2705 (except for delay of trial), and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched and seized.”

Some will applaud the FBI’s proactive operation in the interest of national security and protecting hacking victims, while others are likely to raise questions about it. The operation could become a topic legal experts — as well as the public and private sector — discuss and debate for some time to come.