Situation Report: FBI Closes Some Doors for Chinese State-Sponsored Hackers

This week the Department of Justice disclosed an FBI operation to “disrupt exploitation of Microsoft Exchange Server vulnerabilities” throughout a series of servers located in judicial districts within the states of Texas, Massachusetts, Illinois, Ohio, Idaho, Louisiana, Iowa, and Georgia.

Implanted within these servers were “web shells” which, according to Microsoft “allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization.”

Microsoft admitted that these web shells have been in place within their system from as early as January 2021 and announced on March 2^nd that they were exploited by a group named “HAFNIUM” which they associated with “state-sponsored actors operating out of China.”

The FBI’s partially unsealed search warrant explained that this exploitation technique allowed the hackers to “communicate with and distribute files to victim computers to infect them with additional malware,” to “steal the contents of email accounts and address books,” and “to facilitate long-term access to victim environments and further exploitation.”

The warrant described the United States’ technical ability to uninstall the web shells through using FBI personnel to “access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each of the web shells to the servers to delete the web shells themselves.”  While the signed warrant authorized the FBI to do just that, redacted was a description of just how agents would ascertain or create these “passwords.”

Assistant Attorney General John C. Demers for the Justice Department’s National Security Division stated, “[t]oday’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”

A thorough review of the warrant underscores Demers’ admission that more work remains. It explained that while this vulnerability opened the door initially to high-value intelligence targets in the United States, “the scope of the targets later expanded” where the actors may have “found a way to automate the process of exploitation.” The breach also opened the door to other hackers not affiliated with the Chinese group. “According to open-source reporting, there may be at least 60,000 Microsoft customers worldwide whose Microsoft Exchange Servers were compromised through the use of the zero-day exploits described by Microsoft,” it stated.

The Justice Department’s announcement also served as a reminder for network owners and operators to review Microsoft and U.S. Government advisories and remediation guidance. “Although today’s operation was successful in copying and removing those web shells, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells,” it said.