We’re From the Government, We’re Here to Help: The FBI and the Microsoft Exchange Hack

The Department of Justice issued a press release Tuesday that raised eyebrows: The FBI had obtained a warrant from a federal judge authorizing them to search and seize – to delete copies of – malicious software that had been surreptitiously installed in privately owned servers used to manage emails using Microsoft Exchange. The noteworthy part: The FBI was removing the malware first, and attempting to notify the servers’ owners after the fact. This approach is almost unprecedented.

The backstory captured in the documents was revealing. The FBI affidavit supporting the warrant application had been filed under seal on April 9, and a redacted version was posted with the press release. The affidavit laid out the case for the warrant: Malicious actors, known in the infosec community as HAFNIUM and believed to be associated with the Chinese government, had launched a widespread attack on Microsoft Exchange servers. The attack exploited a zero-day, or previously unknown, vulnerability and used it to install a webshell, which enabled the hackers to remotely access the servers. Once the webshells were installed, those backdoors could be used by the hackers to carry out a range of other malicious actions, including downloading additional malware, exfiltrating information, and prepositioning other attacks using those servers or credential information stolen from them as the launch point for follow-on attacks.

In early March, Microsoft announced the vulnerability and made patches available. However, the FBI’s analysis indicated that a number of infected servers had not been cleaned – and, importantly, the naming convention for the webshells was both predictable in its pattern and unique to each individual server, meaning that the FBI could assess which webshells were still intact. But these webshells were difficult for many server-owners – who likely include small businesses as well as local governments, nonprofits, and organizations of all kinds – to detect and remove. According to some estimates, as many as 60,000 Exchange servers may have been affected, and the FBI’s assessment was that “most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own.”

With that in mind, the FBI tested a method for removing the webshells without the server owners’ knowledge or consent. It then had that methodology validated by an external expert to ensure that there were no indications of damage to the system or any of its legitimate (non-malicious) software. With those steps completed, the FBI sought and obtained approval to proactively remove the malware from each of the servers where it could be detected – in other words, to search for the evidence of the crime, and seize the evidence (the malicious webshell software) where it could be found.

All of these facts matter to an overall understanding of what was at stake here, and why this operation was a suitable one for a criminal search and seizure warrant. In legal and policy analysis, finding the right analogy is always important. Here, the analogy (which I shared with a reporter for Wired in this piece) can be likened to a bomb threat: If the FBI knows that an organized criminal syndicate has planted bombs on private property across multiple states, and those bombs are armed and could go off at any time, the FBI is going to take swift action to find and neutralize those devices – especially if it’s difficult for property owners to detect them. In exigent circumstances like these, law enforcement would be justified in entering directly onto the private property in order to neutralize the bombs and seize the evidence.

The nature of this remote access malware is, from a cyber threat perspective, like an armed bomb: It can be activated at any time, and it can cause irreparable destruction to property. Based on the government affidavit and press release, it’s clear that DOJ believed they knew enough about the cyber actor behind this exploit to assess that there was a real and pressing risk that the webshells would be used to cause further damage. Plausible scenarios include launching ransomware, exfiltrating personally identifiable and other sensitive information, harvesting credentials, carrying out business email compromise attacks, and more. Given these risks, and the property owner’s inability to remediate them quickly, DOJ essentially took the position that the FBI needed to step in and defuse the bombs before they went off.

Of course, from a Fourth Amendment perspective, in truly exigent circumstances such as imminent danger, the government doesn’t need a search warrant to act. Here, the government obtained a warrant – but the subtext of its application was that an active cyber intrusion into a significant number of servers, hosting a commonly used email software program and all of the associated user data, presented an urgent threat to the integrity of those systems and the data residing on them, as well as to the broader ecosystem of data and accounts that were connected to those servers or accessible from the credentials contained on them. To put it another way: When a nation-state actor has achieved remote access to thousands of email servers around the country, the federal government needs to step in to help neutralize and remove the ticking software time-bombs that could imperil entire sectors of the economy.

It’s a bold and innovative use of the authorities granted to the government under the Federal Rules of Criminal Procedures, making creative use of the provisions in FRCrimP 41(6)(b)(6). Rule 41(6)(b)(6), revised in 2016, allows courts to issue warrants authorizing law enforcement “to use remote access to search electronic storage media and to seize or copy electronically stored information” as part of an investigation into cybercrimes. The reality is that a wide range of businesses and organizations use Microsoft Exchange, and not all of them will have the resources or sophistication to identify and eradicate an exploit of the kind described in the affidavit. And for every server left compromised, there’s a risk that the installed webshell could be used to propagate further and more lasting harm, both against that victim and – using their server — data or credentials as the launch point or foundation – against others.

We don’t know what decision-making process went on behind the scenes before the government applied for this warrant. But I’ve suggested below a non-exhaustive list of factors that the government should take into account when deciding whether to seek similar authorization in the future:

  • Does the exploit at hand currently impact, or have the potential to impact, hardware or software that is in common, widespread use by individuals and entities who are likely to have varying levels of resource and sophistication to detect, combat, and remediate cyber threats?
  • How widespread has the exploit become?
  • Is the exploit one that makes it an effective launching point for follow-on operations against these or other victims?
  • Is the exploit one that has been launched by a nation-state or non-state actor who may be seeking to use it for strategic advantage with national security or geopolitical implications?
  • Is the exploit one for which advisory notices, patches, or similar remediations have been announced but the exploit clearly still persists?
  • Is the exploit one which the government can identify with precision in each particular instance for which it proposes undertaking a search and seizure action?
  • Can the search and seizure be accomplished without causing harm to other hardware, software, or data on the affected system?
  • What level of testing or external review can the government take, or has it undertaken, to validate its assumptions about likelihood of unintended harm?
  • Do the overall circumstances suggest a degree of urgency which argues in favor of government action under FRCrimP 41(6)(b)(6), rather than notifying and obtaining approval from system owners individually in advance?

Each of these factors will likely have a range of possible outcomes; none of these factors are likely to be dispositive in and of themselves; and more factors will likely emerge over time as the government considers future operations that are similar to this one. And to be clear: At the moment, there is nothing in the federal rules, case law, or other precedent that requires the government to undertake this kind of internal, multi-factor review prior to filing an application for a search and seizure warrant under Rule 41(6)(b)(6). But given the power of this tool, and the inevitable and appropriate concern about potential misuse, the government would be wise to formulate such a multi-factor test, and to make its guidelines, or at least a summary of them, public.

After all, privacy and security advocates are right to point to the potential risks for the government to misuse this kind of access authorization. However, the reality on the ground is that the private sector has been clamoring for years for the government to take a more active role in protecting private networks from malicious cyber activity – and these calls for a more proactive government approach have been echoed in congressional hearings, as well as blue-ribbon commissions like the Cyberspace Solarium Commission. This operation was an example of one way that the government might do that.

With that in mind, for those who might argue that the FBI’s action creates an unacceptable risk of overreach, it would be prudent to get a reaction from the business community, and particularly from those whose servers were involved in the FBI action. Were the business owners who were notified after the fact grateful for the FBI’s action, or did they view it as overly intrusive? Are there professional or trade associations within or across industries who are willing to take a position on this, and do they support these actions or not? Opinion polls and position papers won’t affect the underlying legality of the warrant or operation, but they may serve as significant indicators of the extent to which similar operations are perceived as legitimate and appropriate cyber defense tools in the future.

So, were the government’s actions helpful? Based on the information available right now: the answer is yes. The recent SolarWinds hack serves as a stark and compelling reminder of the way in which cybersecurity incidents can have staggering breadth and scope. DOJ’s transparency on this HAFNIUM search and seizure operation is important, and future operations will be benefitted by even more transparency. Critical components of that transparency will include openness about whether the FBI or DOJ have a set of guidelines or parameters that they rely on in assessing other similar operations in the future and, if so, what those criteria are. But in an era of ever-heightening cyber risk, and against a backdrop of repeated requests and recommendations from countless corners for expanded government action to assist the private sector, this operation is an innovative and important step.

Image: A signage of Microsoft is seen on March 13, 2020 in New York City. Photo by Jeenah Moon/Getty Images

 

About the Author(s)

April Falcon Doss

Executive Director of the Georgetown Institute for Technology Law and Policy. From 2017-2018, she served as Senior Minority Counsel for the Russia Investigation in the United States Senate Select Committee on Intelligence. Follow her on Twitter (@AprilFDoss).