Not updating your critical software? The FBI might just do it for you.
The FBI has begun quietly accessing hundreds of American computers hacked through Microsoft’s Exchange email program, removing malicious code that the hackers left behind.
The operation, which the Department of Justice announced Tuesday it had authorized with a warrant, highlights the severity of the Exchange vulnerability, which allowed scores of hackers to break into organizations since the beginning of the year.
But it also raises concerns about the FBI's jurisdiction when remedying cyberattacks against Americans.
In some major stings against botnets — giant armies of hacked computers that a hacker will direct to act as a group, often as part of criminal operations — the FBI will hack victims’ computers to remove the code that makes the computers unwilling perpetrators. But the agency’s reaction to the Exchange hack is an example of a far rarer phenomenon: actively removing malicious code from Americans’ computers simply to help them.
Microsoft announced at the beginning of March that hackers working for the Chinese government had been exploiting flaws in the code of Exchange, its program that allows organizations to run their own email servers, to break into computers running that program. As Microsoft and other cybersecurity researchers began working on a fix, the vulnerability seemed to go viral among hackers, and a wide range of them began exploiting the vulnerability all over the world.
A spokesperson for the Chinese Embassy in Washington, Wang Wenbin, said at the time that "China has reiterated on multiple occasions that given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, tracing the source of cyber attacks is a complex technical issue."
Harvey Rishikof, the director of policy and cybersecurity research at the University of Maryland, said that the FBI action was a necessary step, given that cybersecurity has proven so difficult for many Americans.
"In order to level the playing field, we have to be much more active, defensively. And this is a first step," he said.
Many of the hackers who broke into victims’ computers through Exchange left simple scripts, called web shells, which give them the ability to remotely control those systems. While Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency launched awareness campaigns to alert potential victims and tell them how to remedy their systems, researchers have found that thousands of victims weren’t taking those steps.
In a signed affidavit for the operation, an FBI agent whose name is redacted wrote that "most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own."
"By deleting the web shells, FBI personnel will prevent malicious cyber actors from using the web shells to access the servers and install additional malware on them," the agent wrote.
The FBI will notify victims that the agency has removed the code, but isn’t required to do so before May 9, according to the terms of the warrant.
Many of the web shells that the Exchange hackers left behind are simply copied and pasted code used against multiple victims. They require a password to enter, but since those passwords were often reused, it’s easy for an FBI agent to log in, make a copy of the web shell for evidence, and then delete it.
Alan Butler, the president of the Electronic Privacy Information Center, a think tank that advocates for digital privacy, said that while the FBI appeared to be acting justly in this case, the Justice Department should be mindful with how it grants the agency that authority.
"There are significant risks with these techniques — such as unintended destruction of data or misuse of the tools by government agents — that demand close oversight," he said in an email. "It is important that courts strictly limit such orders and that there be public oversight of these activities after the fact."