The FBI is trying to protect hundreds of computers infected by the Hafnium hack by hacking them itself, using the original hackers’ own tools.
The hack, which affected tens of thousands of Microsoft Exchange Server customers around the world and triggered a “whole of government response” from the White House, reportedly left a number of backdoors that could let any number of hackers right into those systems again. Now, the FBI has taken advantage of this by using those same web backdoors to remotely delete themselves. The US Justice Department explained:
“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
The wild part here is that owners of these Microsoft Exchange Servers likely aren’t yet aware of the FBI’s involvement; the Justice Department says it’s merely “attempting to provide notice” to owners that they attempted to assist. It’s doing all this with the full approval of a Texas court, according to the agency.
The FBI says that thousands of systems were patched by their owners before it began its remote Hafnium backdoor removal operation and that it only removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.