The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The FBI launched an operation to wipe out hacker access to hundreds of U.S. servers

Placeholder while article actions load

with Aaron Schaffer

The Justice Department announced yesterday it launched an operation to eliminate back doors into hundreds of U.S.-based servers exposed by a Microsoft Exchange vulnerability identified by the company earlier this year. 

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Assistant Attorney General John C. Demers of the Justice Department’s National Security Division said in a release. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”

The takedown highlights how U.S. intelligence is increasingly turning to the legal system to parry tools used by hackers. The DOJ action is also a major step in a weeks-long effort by U.S. officials and Microsoft to stem the damage from a major security flaw allowing hackers to infiltrate the servers of at least 30,000 U.S. organizations. 

The push for the private sector to patch the vulnerability slashed the number of exposed servers, but hackers had already installed malicious code on thousands of the servers to create a separate way into their operations. After Microsoft announced the patch in February, hackers rushed to piggyback off that malicious code. Hundreds of web shells remained on certain U.S.-based computers running Microsoft Exchange software by the end of March, according to the Justice news release. 

The FBI's takedown removes hundreds of access points for hackers. The shells removed by law enforcement “each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells,” according to DOJ.

The court filing mentions that Microsoft identified the actors behind the initial intrusion as HAFNIUM, a state-sponsored group operating out of China. The U.S. government has not officially attributed the attack to a specific group.

“Initially the targets were high-value intelligence targets in the United States,” the court filing notes. The scope of the targets later expanded.

Justice attributed the back doors to an “early hacking group” but did not elaborate. Microsoft declined to comment on the operation.

Cyber experts were divided on the DOJ operation’s significance and impact.

“I think this will slow attackers down a bit, but there are so many exploits out there and so many groups scanning for flaws that I think vulnerable systems will be quickly re-exploited, Allan Liska, an intelligence analyst at Recorded Future, a cyber threat research firm, told The Post's Ellen Nakashima.

But several applauded the federal government for moving aggressively. 

“If this operation removed all the web shells from backdoored but patched servers, they may have saved these organizations from potentially devastating attacks in the future,” Steven Adair, president of Volexity, a cyber firm that discovered some of the early exploits used by the Chinese to hack the Exchange servers, told Ellen. “It’s rather amazing to see information like this acted upon for the benefit of the victims.”

Silverado Policy Accelerator Chairman Dmitri Alperovitch:

“I am glad to see the Justice Department taking proactive steps to prevent these threat actors from causing major damage to these victims,” Liska said.

The DOJ action is just the latest example of U.S. law enforcement's use of legal tools to take down hackers.

Earlier this year, international law enforcement teamed up to take down a network of infected computers used by one of the world's biggest cybercriminal organizations, Emotet. In September, DOJ seized the malware and infrastructure used by five alleged Chinese hackers.

Other efforts have been less successful. Separate efforts by U.S. Cyber Command and Microsoft ahead of the November election to interrupt a network spreading Trickbot malware made only a temporary dent in the group's operations.

Heading straight for a warrant raises some privacy concerns in this latest takedown, some experts note.

According to the court filing, the procedure to delete the malicious code did not impact other files or services on the computers and the agency confirmed with an outside expert that action would not adversely affect the victim computers.

“This warrant is an extremely powerful and potentially dangerous tool, that allowed government access to innocent people's computers to remove files, without prior notice,” Kurt Opsahl, deputy director of the Electronic Frontier Foundation wrote in an email.

“It's good that the DOJ unsealed this promptly, and it's true that eliminating the Exchange server security exploit is beneficial (though notably did not patch the hole), but it remains deeply disturbing to see a court authorize government agents to access your computer based on the government's idea of what is best for you.”

The Fourth Amendment does not require prior notice of a warrant so long as “reasonable efforts to serve the owner a copy of the warrant once executed are made, Orin Kerr, a professor at University of California, Berkeley School of Law explained in an email.

The FBI said it will reach out to victims whose emails are available directly or contact their Internet service providers if direct contact information is unknown. That form of victim notification can be difficult to pull off, however, points out Katie Nickels, director of intel at Red Canary.

Intelligence officials also yesterday urged organizations to repair an unrelated Microsoft Exchange vulnerability identified by the NSA. 

Microsoft has not seen the vulnerabilities used against customers, according to a company blog post.

"Cybersecurity is national security. Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors," Rob Joyce, NSA's director of cybersecurity, said in a statement. "Don't give them the opportunity to exploit this vulnerability on your system."

Chat room

More reactions to the new Exchange vulnerability. Security researcher Ruben Boonen:

Sophos senior threat researcher Sean Gallagher:

Journalist and author Violet Blue:

The keys

Intelligence officials will brief the Senate Intelligence committee today on the top foreign threats facing the United States.

A report from the Office of the Director of National Intelligence made public yesterday outlines that major adversaries Russia, China and Iran still pose serious cybersecurity threats.

Cyber threats from nation states and their surrogates will remain acute. Foreign states use cyber operations to steal information, influence populations, and damage industry, including physical and digital critical infrastructure, the report states.

The report calls Russia a top cyber threat, pointing to the recent SolarWinds hack as well as interference during the past three national elections as indicators of Russia's continued activity.

President Biden in a call with Russian president Vladimir Putin yesterday made clear that the United States will act firmly in defense of its national interests in response to Russia’s actions, such as cyber intrusions and election interference, according to a read out. U.S. officials have promised actions in response to Russia's aggressions in the coming works.

China meanwhile poses "a prolific and effective cyber-espionage threat" with capabilities that could “ at a minimum, can cause localized, temporary disruptions to critical infrastructure within the United States,” the report states.

Iran and North Korea also pose growing threats, intelligence officials note.

A vaccine-related hacking campaign was more expansive than researchers thought.

At least 44 organizations across the vaccine storage and distribution industry were targeted by hackers, researchers at IBM report. The potential victims, which spanned 14 countries, included companies in the transportation, health-care and IT sectors, along with government officials.

The researchers said that increased international competition over coronavirus vaccines suggests that the campaign was carried out by a nation-state, though “clear attribution remains presently unavailable.”

In December, the researchers first reported on the global hacking campaign, which they said was conducted through phishing emails.

Hundreds of utilities downloaded a malicious version of SolarWinds software.

A quarter of the 1,500 electric utilities sharing data with the North American Electric Reliability Corporation said that they downloaded the malicious version pushed by Russian hackers, CyberScoop’s Sean Lyngaas reports. The regulator said that it did not detect any major activity by the hackers after the software had been downloaded.

Hill happenings

Lawmakers reintroduced a bill to make a rotational cyber workforce program for the U.S. government.

 Reintroduced by Sen. Gary Peters (D-Mich.), the chairman of the Senate Homeland Security and Governmental Affairs Committee, and two other senators, the bill would allow cybersecurity professionals to work at multiple agencies across the U.S. government in an attempt to compete with Silicon Valley for cybersecurity talent.

The bill unanimously passed in the Senate in 2019.


  • Acting Assistant Secretary of Energy Patricia Hoffman discusses maritime energy cybersecurity at an Atlantic Council event today at 10 a.m. 
  • U.S. intelligence chiefs testify before the Senate Intelligence Committee today at 10 a.m.
  • Microsoft president Brad Smith and Dominic LeBlanc, Canada’s minister of intergovernmental affairs, discuss combating election interference at an Alliance for Securing Democracy event today at 12:15 p.m.
  • National Security Agency cybersecurity director Rob Joyce and other officials testify at a Senate Armed Services Committee panel hearing today at 2:30 p.m.
  • U.S. intelligence chiefs testify before the House Intelligence Committee on Thursday at 9 a.m.
  • Former Director of National Intelligence John Ratcliffe speaks at a Heritage Foundation event on April 19 at 11 a.m. 
  • CISA executive assistant director for cybersecurity Eric Goldstein speaks at the Industrial Control Systems Joint Working Group’s spring virtual meeting on April 20 at 8:30 a.m.
  • Rep. Michael McCaul (R-Texas); acting National Counterintelligence and Security Center director Mike Orlando; and Carl McCants, the technical director of NCSC’s supply chain and cyber directorate, speak at an Intelligence and National Security Alliance event on microelectronics supply chains on April 20 at noon.

Secure log off