In whats believed to be an unprecedented move, the FBI is trying to protect hundreds of computers infected by the Hafnium hack by hacking them itself, using the original hackers own tools (via TechCrunch).
The hack, which affected tens of thousands of Microsoft Exchange Server customers around the world and triggered a whole of government response from the White House, reportedly left a number of backdoors that could let any number of hackers right into those systems again. Now, the FBI has taken advantage of this by using those same web shells / backdoors to remotely delete themselves, an operation that the agency is calling a success.
The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path), explains the US Justice Department.
The wild part here is that owners of these Microsoft Exchange Servers likely arent yet aware of the FBIs involvement; the Justice Department says its merely attempting to provide notice to owners that they attempted to assist. Its doing all this with the full approval of a Texas court, according to the agency.
Itll be interesting to see if this sets a precedent for future responses to major hacks like Hafnium. While Im personally undecided, its easy to argue that the FBI is doing the world a service by removing a threat like this while Microsoft may have been painfully slow with its initial response, Microsoft Exchange Server customers have also now had well over a month to patch their own servers after several critical alerts. I wonder how many customers will be angry, and how many grateful that the FBI, not some other hacker, took advantage of the open door. We know that critical-but-local government infrastructure often has egregious security practices, most recently resulting in two local drinking water supplies being tampered with.
The FBI says that thousands of systems were patched before it began its remote Hafnium backdoor removal operation, and that it only removed removed one early hacking groups remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.
Todays court-authorized removal of the malicious web shells demonstrates the Departments commitment to disrupt hacking activity using all of our legal tools, not just prosecutions, reads a statement from Assistant Attorney General John C. Demers, with the Justice Departments National Security Division.