FBI removes ‘malicious web shells’ tied to China-linked Microsoft hack


The Justice Department announced a “court-authorized operation” by the FBI to copy and remove “malicious web shells” from hundreds of U.S. computers in response to the massive cyberattacks against Microsoft’s Exchange Server, which the Big Tech company has assessed are being carried out by a sophisticated Chinese state-backed hacker group and others.

Microsoft detected “multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks,” the company said in an early March announcement, adding that its Threat Intelligence Center attributed the cybercampaign with “high confidence” to a hacker group dubbed “Hafnium.” Microsoft said the hacker group was “state-sponsored” and operating out of China. The Microsoft Exchange Server handles the company’s email, calendar, scheduling, contact, and collaboration services.

The Justice Department said Tuesday that in January and February, hacking groups accessed Microsoft email accounts and placed web shells, pieces of code that allow outside actors to take remote control, to continue and expand their access and that other hacking groups soon joined in after the vulnerability was publicized last month. Investigators said although many infected system owners fixing the problem, hundreds of web shells “persisted unmitigated,” and so, the DOJ’s new operation “removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access” to networks in the United States.

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Assistant Attorney General for the National Security Division John Demers said Tuesday. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”


Unsealed search-and-seizure warrant documents reveal submissions filed by an unidentified FBI special agent in the U.S. District Court for the Southern District of Texas. The bureau agent noted that “Microsoft assessed that HAFNIUM actors are state-sponsored and operating out of China based on observed victimology, tactics, and procedures.” The next line was redacted. “I request that the Court authorize the government to access the relevant victim computers running Microsoft Exchange Server software located in the United States for a period of fourteen days, beginning on or about April 9, 2021,” the agent further said.

The request was approved by a judge.

“This operation is an example of the FBI’s commitment to combatting cyber threats through our enduring federal and private sector partnerships,” acting Assistant Director Tonya Ugoretz of the FBI’s Cyber Division said. “Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners.”

Microsoft said last month that Chinese hackers used Microsoft vulnerabilities to access email accounts and to install additional malware “to facilitate long-term access to victim environments.” Microsoft said Hafnium “primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs” and that it “operates primarily from leased virtual private servers in the United States.”

Chinese Foreign Ministry spokesman Wang Wenbin rejected Microsoft’s claim that China was involved in the cyberattacks.

The Justice Department said Tuesday that “throughout March 2021, Microsoft and other industry partners released detection tools, patches, and other information to assist victim entities.” The FBI and the Cybersecurity and Infrastructure Security Agency released a joint advisory warning about the vulnerabilities last month, too, but the DOJ said, “By the end of March, hundreds of web shells remained on certain U.S.-based computers running Microsoft Exchange Server software.” The FBI's action sought to confront that continued problem, but investigators stressed that “although today’s operation was successful in copying and removing those web shells, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks.”

“This is a significant vulnerability that could have far-reaching impacts. First and foremost, this is an active threat, and … everyone running these servers (government, private sector, academia) needs to act now to patch them,” White House press secretary Jen Psaki said in March.

“We are undertaking a whole of government response to assess and address the impact,” and “high levels of the National Security Council are working to address the incident,” a White House official told the Washington Examiner last month.

The FBI said then that the bureau was “working closely with our interagency and private sector partners to understand the scope of the threat.”


Microsoft also provided an update on Tuesday warning about continued vulnerabilities on its exchange server, saying that “given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.” The tech company said, “These new vulnerabilities were reported by a security partner,” the National Security Agency, “through standard coordinated vulnerability disclosure and found internally by Microsoft.”

NSA Cyber's account tweeted that the agency “urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks.”

Anne Neuberger, the deputy national security adviser for cyber and emerging technology who was named as the point person coordinating the U.S. government’s response to the separate SolarWinds breach, said in mid-February that the response to the SolarWinds hack will “holistically” consider all of the “likely Russia n” malign cyberactions when putting together a response to those intrusions.

View original Post


Please enter your comment!
Please enter your name here