FBI launches operation to remove malware from computers in US

A court in Texas has authorized the FBI to fix malware in hundreds of hacked servers in the U.S. running certain versions of Microsoft Exchange Server software.

The Department of Justice (DOJ) announced the operation Tuesday, saying the FBI would “copy and remove” so-called web shells, or “pieces of code or scripts that enable remote administration,” as part of the effort.

The DOJ’s move came after it was revealed in March that a hacking group supported by the Chinese government had exploited security flaws in the Microsoft email application. Other hacking groups sought to infiltrate the program after the vulnerability and fix were made public.

U.S Magistrate Judge Peter Bray, a federal judge in the Southern District of Texas, authorized a warrant for the FBI to target the web shells, according to court documents dated April 9 and released by the Justice Department on Tuesday.

The DOJ said the FBI was stepping in after some — but not all — infected system owners were able to remove the web shells.

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Assistant Attorney General John Demers for the Justice Department’s National Security Division said in a statement. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”

The DOJ said the FBI would attempt to “provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells.” The FBI planned to email individual entities or internet service providers to provide notice of the actions, officials said.

The move is the latest effort by the government to close a loophole that the Chinese hacking group Hafnium had exploited, which was revealed in March.

Microsoft said Hafnium waged “limited and targeted attacks” by working through leased virtual private servers. The software was accessed through stolen passwords or other vulnerabilities, and malware was installed in an attempt to gain data.

That hack came months after the breach of SolarWinds Corp. That intrusion, suspected to be authorized by the Kremlin, gave hackers access to data from several government agencies using computers that incorporated the company’s software. 

The DOJ clarified that while the FBI had taken down the web shells, “it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”

Separately, federal agencies on Tuesday urged outside organizations using the Microsoft email application to immediately patch their systems in order to prevent hackers from exploiting the newly discovered vulnerabilities.