A court in Houston has authorized an FBI operation to “copy and remove” the backdoors of hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.
The justice department announced the operation on Tuesday, which it described as “successful”.
In March, Microsoft unveiled a new state-sponsored hacking group from China – Hafnium – targeting Exchange servers used by corporate networks. The four vulnerabilities that were chained together enabled the hackers to break into a vulnerable Exchange server and steal its contents. Microsoft has fixed the vulnerabilities, but the patches did not close the backdoors of the already broken servers. Within days, other hacking groups started hitting vulnerable servers with the same bugs to use ransomware.
The number of infected servers decreased as the patches were applied. But hundreds of Exchange servers are vulnerable because the backdoors are difficult to find and eliminate, the Justice Department said in a statement.
“This operation removed the remaining web caps from one early cap group that could be used to maintain and increase sustained, unauthorized access to US networks,” the statement said. “The FBI carried out the removal by issuing a command through the web shell to the server, designed to allow the server to remove only the web shell (identified by its unique file path).”
The FBI said it was trying to notify owners by email of servers from which the back doors had been removed.
Assistant Attorney General John C. Demers said the operation “shows the department’s commitment to disrupting burglary activities by using all of our legal equipment, not just prosecutions.”
The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.
It is believed that this is the first known case of the FBI clearing private networks after a cyber attack. In 2016, the Supreme Court decided to allow U.S. judges to issue warrants and seize outside their district. Critics at the time opposed the move, fearing the FBI could ask a friendly court to authorize cyber operations around the world.
Other countries, such as France, had previously used similar powers to hijack a botnet and close it remotely.
Neither the FBI nor the Department of Justice commented at press time.