The US Federal Bureau of Investigation (FBI) secretly hacked into vulnerable Microsoft Exchange Servers and removed web shells that were implanted during the recent Hafnium campaign by Chinese malicious actors.
Previously sealed court documents released on Wednesday show the FBI’s warrant applications as it sought “to use remote access techniques to search certain Microsoft Exchange Servers located in the United States”.
Once in the affected systems, the FBI wanted to copy – for “evidentiary” purposes – and remove any web shells still installed on hundreds of machines.
Assistant director of the FBI’s Cyber Division, Tonya Ugoretz, said the action to secretly remove malicious code from unsuspecting servers was a show of strength against online threats.
“Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners,” she said.
“The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions.”
Microsoft revealed the Exchange Server vulnerabilities in early March, blaming a Chinese hacking group it called Hafnium for developing exploits that allowed the installation of web shells which could allow remote code access to servers.
Despite public awareness campaigns and warnings from Microsoft about the high risk this vulnerability posed, many servers remained unpatched – including a “large number” of Australian servers spotted by the Australian Cyber Security Centre.
The FBI scanned through the public web shells Hafnium used in its campaign and found a significant number remained on US servers a month after Microsoft’s disclosure.
“Most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own,” the FBI said in its warrant application.
Because of this perceived difficulty, the agency took it upon itself to remove the web shells without the server owner’s knowledge.
The FBI said it was necessary to operate in secret to ensure the web shell operators didn’t “destroy or tamper with evidence or change patterns of behaviour”.
“Disclosure also could prompt the subjects to make changes to the web shells before FBI personnel can act pursuant to the requested warrant, which would enable persistent access, further exploitation of the victims, and defeat the efforts of FBI personnel to identify victims and delete web shells,” the FBI said.
The organisation said it is in the process of notifying businesses that it hacked via an official FBI email.