On April 13, 2021, a federal district court granted a motion to partially unseal an FBI application and search warrant following the successful conclusion of an FBI operation to eradicate malicious web shells placed on U.S.-based computers by Chinese state-sponsored actors. The FBI’s use of credentialed, remote access techniques to access, copy, and remove malware without the knowledge of the computer’s owner appears to be a novel approach by the FBI in counteracting state-sponsored cyberattacks.
In the FBI’s application for a Rule 41 search warrant under the Federal Rules of Criminal Procedure, the FBI cited a Microsoft report dated March 2, 2021 that identified malicious activity attributed to Hafnium, a group it associated with state-sponsored actors operating out of China. According to the application, Hafnium exploited zero-day vulnerabilities in Microsoft Exchange servers by installing unauthorized web shells designed to further compromise infected systems by gaining a persistent presence and deploying additional malware. Other observed malicious activity included stealing contents of email accounts and address books.
The Justice Department’s press release about the event identified the various efforts undertaken to mitigate the impact of the attack, including Microsoft’s March 2nd report, an initial joint advisory by FBI and CISA released in March, additional reports issued by CISA, and Microsoft’s continued publication of tools and information to assist remediation efforts. Despite these efforts, hundreds of web shells remained on impacted systems. The web shells ultimately removed by the FBI’s operation were thought to be particularly difficult to identify and remove from a technical perspective because they had unique file names or file paths, which made it unlikely that the system owner would be able to further remediate the vulnerability. The FBI’s operation targeted only these systems with the more persistent web shells.
The FBI’s search warrant application described its plan to access the web shells and issue commands through the web shells to the software running on the systems at issue to copy (for the FBI) and then delete the web shells themselves. The search warrant explicitly did not authorize the seizure of tangible property or any electronic content or functionality other than that associated with the malicious web shells.
Because the application and search warrant were sealed, notice was not required to be provided to victim users or the public at large until after the conclusion of the operation. The FBI initially requested the term of the warrant to run beginning on April 9 for two weeks. But based on the timing of the partial unsealing of the application and warrant, it appears the FBI was able to move swiftly. The FBI stated that it intended to provide notice to victims of the searches via specific emails to identified victims and through postings on its and the DOJ’s websites.
As companies address the potential impact of these zero-day vulnerabilities, it may be useful to remember that any removal of the web shells by the FBI would not necessarily impact other malware that may have also been deployed as a result of that functionality, and so impacted companies may need to further assess the nature and extent of any related malicious activity on their data and systems.