A press release on Monday revealed the existence of an FBI operation that tried to shut down attacks by the “Hafnium” group and others on Microsoft Exchange servers earlier this year. While patches and mitigations addressed the issue for many, there were still a number servers that remained exposed where the attackers installed web shells to continue their remote access. The feds claim those shells could have been difficult for some administrators to identify and remove on their own.
The FBI targeted Hafnium’s shells in particular (as described in court filings), as it identified them on server is the US, accessing them remotely using the attacker’s own passwords and executing a command to make them delete themselves, foiling the group’s plans. The search warrant the FBI requested allowed it to execute this operation, and delay notifying server administrators. It received permission on April 9th to run the operation for up to 14 days, along with authorization to delay notifications for up to 30 days.
According to the Justice Department, “This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”
Now the FBI says it’s emailing server owners and “attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells.” While we’re not aware of a precedent for the FBI taking action on privately owned servers after thy were attacked, Wired reporter Kim Zetter points out how it dealt with the Coreflood botnet in 2011 by sending a command to an infected machine to shut it down, also with a court order. The Justice Department and Microsoft have not commented on the operation publicly beyond this statement.