“If the Microsoft Exchange servers they interacted with were fully patched and they actually deleted any and all web shells on the backdoor servers, it should be quite effective,” says Steven Adair, founder of security firm Volexity, which first identified the Hafnium attack. “Assuming these Microsoft Exchange servers were just backdoor with web shells, they were essentially sitting ducks. These actions potentially save these organizations from future harm.”
There are two important caveats here. First, removing a web shell doesn’t get rid of any malware that may already have snuck through, or return any data that has been stolen. Second, if the underlying vulnerabilities remain on a system, someone could always just plant another web shell.
In those limitations, Tait sees an encouraging degree of restraint on the part of the FBI. “What they’re doing is actually unusually narrow,” he says. The FBI could have asked to scan for ransomware or illicit materials that might be present on the server, or to proactively patch servers that were still vulnerable. “Then I think you would have more serious privacy concerns, like is the FBI piggybacking on this to look for other crimes?”
Instead, the agency got in, defused the bombs, and got back out.
New Rules
Five years ago, an operation like this would have been highly unlikely, if not impossible. In December 2016, however, the Federal Rules of Criminal Procedure was updated to make search and seizure orders more applicable to cybercrime. Rather than having to get a warrant in every individual court district where suspected illegal activity occurred, law enforcement could instead get sign-off for broader efforts from a single judge, as long as officials could demonstrate that the activity took place in five or more districts.
“The big mismatch has always been between the way that legal rules are tied to physical geography and that cyberoperations extend beyond it,” says Doss. A target’s vulnerabilities are more important to a hacker than what state they’re in, especially for large-scale hacks, like Hafnium’s Exchange server assault or SolarWinds or the creation of a botnet.
In fact, the FBI has used this authority before, although seemingly sparingly. In previous cases that have become public, it focused on disrupting active botnets rather than preemptive protections. The FBI also typically targeted the botnet controller to send the signal out, while in the Hafnium case, the agency used the web shells on private servers to send one back home.
“In general, these operations involve law enforcement seizing control of a command-and-control server with the help of their partners and issuing commands to cut off access to the infected machines that make up the botnet,” says Katie Nickels, director of intelligence at the security firm Red Canary. “In this case, the FBI is gaining access to victim-owned Exchange servers, copying web shells from them, and then deleting those web shells. The distinction is important because the web shell actions are more invasive.”
“The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions,” said Tonya Ugoretz, acting assistant director of the FBI’s Cyber Division.
Anytime law enforcement tries something new—or at least puts a new spin on an old script—slippery slopes naturally become a concern. This time is no different. Future flexes will merit scrutiny, but this time the FBI at least appears to have taken the narrowest possible scope for the greatest possible good.
“This is the government saying the private sector can’t protect itself here,” says Doss, “so we’re going to.”
More Great WIRED Stories