FBI accessed hundreds of private computers in Microsoft Exchange remediation bid

The FBI accessed hundreds of vulnerable computers using remote backdoors installed by hackers — with the goal of collecting evidence against the hackers and removing the backdoors. In a press release issued Tuesday, the U.S. Department of Justice announced the operation and explained the rationale behind it. 

The 2021 Microsoft Exchange Server breach

Earlier this year, several critical zero-day vulnerabilities for Microsoft Exchange Server were discovered (Exchange is email server software common in enterprise environments).

The zero-days resulted in the hacks of thousands of organizations worldwide, with malicious actors accessing users’ email accounts and gaining administrative privileges on the breached networks. The attackers used this access to install “web shells”, remotely accessible backdoors that allow hackers to execute commands on compromised systems. 

Researchers analyzing the Microsoft Exchange Server breach believe that Hafnium, a Chinese APT group, was likely responsible for the initial attacks, but say that several other hacking groups began exploiting the vulnerabilities after they became publicly known.

The incident was considered to be a major security issue, because this kind of persistent access to an enterprise network can result in spying, additional malware infections, and intellectual property theft. And as we learned from the SolarWinds hack at the end of 2020, undoing the damage from a widespread breach can be difficult, time consuming, and expensive.

Shutting down the remaining backdoors

In early March, Microsoft made the public aware of the Exchange Server vulnerabilities, and released several security updates and remediation tools.

Most organizations were able to apply the required patches, and hunt down and remove the web shells that had been installed on their networks by bad actors. But by the end of March, the FBI could see that hundreds of networks were still vulnerable. They still harbored the remote backdoors — backdoors that were web accessible and fully functional. This clearly presented an ongoing danger to the affected organizations, since the web shells could be used to spy on them or to install additional malware on their networks. 

For this reason, the FBI asked a Texas court for a warrant to access the affected servers themselves and remove the web shells. The judge approved the warrant request, which essentially gave the FBI legal permission to hack into vulnerable networks using the backdoors that the hackers had installed! When the FBI accessed an affected network, they would make a copy of each web shell for evidence, and then use the web shell to send a command to the server that would permanently delete the backdoor. 

FBI accessed servers without notification

This isn’t the first time a government agency has taken direct action to disrupt the activities of cybercriminals. Last year, for example, the U.S. Cyber Command took down the Trickbot botnet in an operation designed to prevent interference with the 2020 election.

But while the Microsoft Exchange Server breach was a serious threat, and while it’s definitely a good thing that APT groups no longer have backdoor access to U.S. companies, there are aspects of the FBI’s operation that deserve a closer look.

For one thing, it appears that the FBI accessed the affected organizations without informing them ahead of time. In their press release, the Department of Justice said:

The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells.

It’s understandable that the FBI wanted to take swift action to remove the threat. It’s also likely that they needed to preserve forensic evidence for their investigation. Nevertheless, the fact that the government used an APT’s hacking tools to access private companies “for their own good”, and did it without first notifying these companies, may strike the more privacy minded among us as a little troubling!

About that search warrant …

Another thing to look at is the way that the FBI obtained permission to access all those breached companies.

As you’ll recall, the FBI applied for its warrant in a Texas District court. However, the warrant request made use of a 2016 change to the law that allows federal judges to authorize surveillance outside of their own districts. The FBI didn’t only seek approval to access servers located in Texas, but also in the U.S. states of Massachusetts, Illinois, Ohio, Idaho, Louisiana, Iowa, and Georgia. 

Back in 2016, critics of the change were already concerned that it would open the door to mass surveillance and government overreach. At the time, one lawmaker, Senator Ron Wyden (D) of Oregon, called it a “dramatic expansion of the government’s hacking and surveillance authority”. The warrant request in the Microsoft Exchange Server case seems to have been made in good faith, but the fact that the FBI can ask a judge in one jurisdiction for permission to hack a private company in another does give one pause!

Digital rights watchdogs like Electronic Frontier Foundation say that governments and law enforcement agencies around the world have stepped up their use of technological surveillance. In the United States, even federal judges have criticized police departments for overusing the controversial surveillance dragnets known as geofence warrants. And anyone who follows iPhone news is aware of the ongoing privacy battles between Apple and the FBI.

To be clear, we’re not suggesting that the FBI did anything wrong in this particular case. But the FBI’s recent operation is a healthy reminder that the government really does have broad powers of surveillance, and underscores why it’s so important for all of us to stay informed about digital privacy issues.