In an effort to mitigate the threat of the Hafnium hack, the FBI has been cleared to use the hackers’ own tools to remotely delete infections on people’s computers.
Last month, security researchers began sounding the alarm about a hack being carried out by a Chinese espionage group known as “Hafnium.” The hack involved the exploitation of multiple zero-day vulnerabilities, and it affected tens of thousands of Microsoft Exchange Servers around the world.
While Microsoft did eventually address the issue in the form of detection tools and patches, the threat of the hack has lingered. Now, the Justice Department has disclosed that a Texas court granted the FBI approval to utilize a number of remaining backdoors to remotely delete Hafnium infections.
“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” reads a statement from Assistant Attorney General John C. Demers, with the Justice Department’s National Security Division.
The Department said the operation was successful, but further action will be required to fully patch the vulnerabilities.
“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” the U.S. Justice Department stated.
Under the operation, experts “did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”
The Justice Department said it “strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10 Joint Advisory for further guidance on detection and patching.”