The agency’s approach to protecting vulnerable victims of the recent Hafnium attack manages to be at once controversial and refreshingly restrained.
On March 2, Microsoft warned the world that a Chinese state-sponsored hacking group called Hafnium had infected what would turn out to be tens of thousands of Microsoft Exchange servers in a weeks-long hacking blitz. While Microsoft soon released a patch, not every victim updated their systems, and hundreds of servers remained exposed. A little over a month later, the Department of Justice has now revealed, the FBI took extraordinary steps to protect those still at risk.
Court documents unsealed this week reveal that the FBI obtained a warrant to copy and delete so-called web shells—essentially a foothold into a system that hackers can use to send remote commands or malware—from hundreds of Hafnium victims. While the operation seems straightforward on a technical level, it establishes a precedent that manages to be at once both controversial and refreshingly restrained.
“This is a novel approach,” says April Doss, a former NSA lawyer who currently directs the Institute for Technology Law and Policy at Georgetown Law. “I think we’ll see it used again, but I would hope we see it used again with really careful analysis.”
Rather than carefully select valuable targets, Hafnium scoured the internet for vulnerable Microsoft Exchange servers and infected as many as it could, amassing at least 30,000 victims in the United States alone and hundreds of thousands worldwide. It was a mess.
But it also wasn’t quite as bad as those numbers make it sound. Hafnium used its access in that initial sweep to plant web shells, which would allow it to come back later to cause real damage. It essentially left itself 30,000 keys under 30,000 doormats, and would figure out which of those targets it actually cared about later. A disproportionate number of Hafnium victims appear to have been small- to medium-sized businesses, which are more inclined to run a dedicated on-premises Exchange server for their email needs. Most large corporations run their email in the cloud. So Hafnium likely wouldn’t care much about many of the entities it hit. (Opportunistic ransomware hackers, though, leapt at the opening Hafnium created.)
By all accounts, the rush to patch Exchange servers has been largely successful, thanks in part to a one-click tool Microsoft released about a month ago. But again, the victims are mostly small- and medium-sized businesses. Many of them don’t have the resources to fix a gaping cybersecurity threat; some may not even realize they have an exposed Exchange server in the first place. Meanwhile, patching protects from future infection, but it doesn’t get rid of the web shell that already snuck through. And so those web shells have lurked, patiently awaiting instructions from the hackers who put them there, ready to cause harm.
“You can imagine if there were a circumstance in which some criminal syndicate planted physical bombs in properties spread across half a dozen states,” says Doss. “If the property owners couldn’t be reached, or were off-site and couldn’t get there to take any action, or didn’t have the technical ability to find or defuse the explosive materials, what would DOJ do? They would get a warrant for the FBI to go in.”
Which is what happened last Friday, when a judge granted the FBI a warrant to uninstall those web shells, which turned out not to be an especially difficult task. “The technical part of it is like .5 percent of the work,” says Matt Tait, a former British intelligence analyst who is now the chief operating officer at Corellium, a virtualization and security research company. A web shell has a URL and, in this case, a password associated with it. The FBI had access to both, presumably through threat intelligence and other partners. All the agency had to do was access the web shell, enter the password, and send a command to the server that essentially said “delete me.” Problem solved.New Rules
“If the Microsoft Exchange servers they interacted with were fully patched and they actually deleted any and all web shells on the backdoor servers, it should be quite effective,” says Steven Adair, founder of security firm Volexity, which first identified the Hafnium attack. “Assuming these Microsoft Exchange servers were just backdoor with web shells, they were essentially sitting ducks. These actions potentially save these organizations from future harm.”
There are two important caveats here. First, removing a web shell doesn’t get rid of any malware that may already have snuck through, or return any data that has been stolen. Second, if the underlying vulnerabilities remain on a system, someone could always just plant another web shell.
In those limitations, Tait sees an encouraging degree of restraint on the part of the FBI. “What they’re doing is actually unusually narrow,” he says. The FBI could have asked to scan for ransomware or illicit materials that might be present on the server, or to proactively patch servers that were still vulnerable. “Then I think you would have more serious privacy concerns, like is the FBI piggybacking on this to look for other crimes?”
Instead, the agency got in, defused the bombs, and got back out.
Five years ago, an operation like this would have been highly unlikely, if not impossible. In December 2016, however, the Federal Rules of Criminal Procedure was updated to make search and seizure orders more applicable to cybercrime. Rather than having to get a warrant in every individual court district where suspected illegal activity occurred, law enforcement could instead get sign-off for broader efforts from a single judge, as long as officials could demonstrate that the activity took place in five or more districts.
“The big mismatch has always been between the way that legal rules are tied to physical geography and that cyberoperations extend beyond it,” says Doss. A target’s vulnerabilities are more important to a hacker than what state they’re in, especially for large-scale hacks, like Hafnium’s Exchange server assault or SolarWinds or the creation of a botnet.
In fact, the FBI has used this authority before, although seemingly sparingly. In previous cases that have become public, it focused on disrupting active botnets rather than preemptive protections. The FBI also typically targeted the botnet controller to send the signal out, while in the Hafnium case, the agency used the web shells on private servers to send one back home.
“In general, these operations involve law enforcement seizing control of a command-and-control server with the help of their partners and issuing commands to cut off access to the infected machines that make up the botnet,” says Katie Nickels, director of intelligence at the security firm Red Canary. “In this case, the FBI is gaining access to victim-owned Exchange servers, copying web shells from them, and then deleting those web shells. The distinction is important because the web shell actions are more invasive.”
“The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions,” said Tonya Ugoretz, acting assistant director of the FBI’s Cyber Division.
Anytime law enforcement tries something new—or at least puts a new spin on an old script—slippery slopes naturally become a concern. This time is no different. Future flexes will merit scrutiny, but this time the FBI at least appears to have taken the narrowest possible scope for the greatest possible good.
All Rights Reserved for Brian Barrett