Earlier this year, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place malware that provided backdoor access to thousands of compromised servers. Microsoft assessed with high confidence that the vulnerabilities were initially being exploited by a state-sponsored group that Microsoft refers to as HAFNIUM. This week the U.S. Department of Justice (DOJ) announced that it undertook a novel court-authorized law enforcement operation to remove the malware from hundreds of victim systems in the United States.
The law enforcement operation comes as the U.S. government is under increasing pressure to act to protect the public and privacy sector from cyberattacks and respond to state-sponsored cyber intrusions like HAFNIUM and the SolarWinds compromise. This response is likely to complement other actions such as public attribution, sanctions, criminal charges, and diplomatic demarches. (Just today, the Biden Administration announced new sanctions against Russia in response to the SolarWinds intrusion and election interference.)
Although this proactive response is welcome and consistent with law enforcement’s articulated priorities to proactively take measures to defend American businesses and individuals from foreign cyber intrusions, additional action will need to be taken by private sector organizations to ensure that they have secured their networks—whether the organizations benefited from the operation or not. We provide recommended guidance below, after a brief primer on the HAFNIUM and related hacking activity.
Security researchers determined that HAFNIUM had been exploiting the zero-day vulnerabilities in Microsoft Exchange Server as early as the beginning of January 2021. Security researchers identified the exploitation “in the wild” and informed Microsoft. According to Microsoft, HAFNIUM primarily targeted a narrow set of entities in the United States including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
But as Microsoft prepared to issue its patch in late February 2021, hackers ramped up their activity. Based on several accounts, to avoid losing access after systems were patched, HAFNIUM actors went on a hacking spree to breach and establish persistent access into as many systems as they could find using web shells. Web shells are malicious code that enables remote access to and control of a web server even after it is patched. Web shells are a common tool used by hackers to maintain long-term access to a victim’s environment after initially exploiting a vulnerability. Web shells give hackers the ability to issue commands, and to upload, download, and execute files on a web server— enabling further lateral movement and exploitation, as well as data theft. Here, the attackers left behind web shells so that they could access the systems even after the systems had been patched.
Ultimately, according to security researchers, HAFNIUM indiscriminately installed web shells on tens of thousands of vulnerable systems—and that number does not include exploits by other hacking groups who raced to exploit the zero-day vulnerabilities after Microsoft’s patch release, but before affected entities had time to install the patches. DOJ’s court filings estimate that, in total, more than 60,000 Microsoft customers were compromised worldwide in this way.
Although the number of infected systems dropped as patches were applied by the private sector, hundreds of Microsoft Exchange Servers remained vulnerable because these web shells were difficult to find and eliminate. In particular, many of the unpatched remaining victims are believed to be medium and small businesses who were outmatched by the adversary.
DOJ, as a result, sought to take proactive action, through legal process, to access and delete web shells deployed by hackers, without impacting other files or services of victim systems. The operation was conducted pursuant to a search and seizure warrant under Federal Rule of Criminal Procedure 41, which authorized the Federal Bureau of Investigation (FBI) to access the malicious web shells on compromised Microsoft Exchange Servers in the United States, and to copy and subsequently delete just the web shells from those servers.
DOJ has pursued prior operations using its authority under Rule 41, including the takedown of the Russian Gameover Zeus botnet and the North Korean Joanap botnet, but such operations have typically been limited to seizures of command and control infrastructure. This operation reflects a more aggressive approach insofar as it involves access to the systems of compromised victims.
The operation only impacted the malicious web shells installed by unauthorized actors and did not patch any vulnerabilities on those Microsoft Exchange Servers and did not remove any other additional malware. According to the partially unsealed warrant affidavit, the FBI operation began on or about April 9, 2021, and was completed by April 13, 2021. It is important to emphasize that DOJ/FBI did not access or copy the contents of any private exchange servers, but merely “issu[ed] a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).” Indeed the warrant states that it “does not authorize the seizure of any tangible property[,]” and “does not authorize the seizure or copying of any content from  electronic storage media . . . or the alteration of the functionality of  electronic storage media[.]”
This operation’s novel use of legal process poses a variety of implications to businesses and reinforces the value of maturing organizational approaches to incident response, vulnerability management, and law enforcement cooperation. This is especially true for the hundreds of victims who may receive notice, which the FBI is attempting to provide, that their systems were among those from which the FBI removed the hacking group’s malware. According to court documents, FBI will attempt to notify entities who were impacted by this operation by sending an email from an official FBI email account to the email address identified for companies in the public domain registration records, or if such domain registration records are not publicly available, FBI will provide notice to the entities’ domain hosting provider, asking them to provide notice to the victim.
Although the FBI was successful in removing that malware, it did not patch the zero-day vulnerabilities or search for or remove any other malware or hacking tools that threat actors may have placed on victims’ networks. It is critical that these victims and all users of the vulnerable Microsoft Exchange Server software review Microsoft’s remediation guidance and the March 10, 2021 FBI and Cybersecurity and Infrastructure Security Agency joint advisory for further guidance on detection and patching.
Additionally, impacted organizations should investigate—at the direction of counsel if possible—the underlying HAFNIUM activity to determine if any additional malware was deployed, or if any data or other systems have been impacted. Organizations may need to satisfy notification obligations and other regulatory requirements, and further remediation or security hardening may be appropriate as well.
As the U.S. government increases its resources aimed at protecting U.S. businesses and individuals from significant foreign cyber threats, we expect it will execute more operations like the one it announced yesterday to proactively disrupt adversaries.