Start your day with intelligence. Get The OODA Daily Pulse.

For those of us practitioners in the cybersecurity space who have tracked policy concepts, one that has been around forever is the idea that good guys from government may one day need to take action in privately owned computers. Since the late 1990’s, concepts have been considered like the idea of a self propagating piece of good code (a worm) that would gain access to infected computers and patch them or take other action to fight bad guys in privately owned computers. A few times in the past the government has taken limited action. Once a decade ago, with a court order, they hijacked a malicious botnet called Coreflood, for example, and issued a command to computers to disable the bot. Pioneering stuff, but something bigger and more historic just happened.

Background: Although concepts like these have been discussed for decades, the privacy and property rights of US persons embodied in the Bill of Rights put a quick end to most of these concepts. Those who argue against these capabilities frequently bring up the episode in US history known as the Whiskey Rebellion, which saw, for the first and last time in history, a US President leading an Army into the field to crush an insurrection. This event resulted in widespread displeasure in the new US Government and its leadership (This marked a low point in President Washington’s approval) and left a bad taste in the mouth of citizens that still angers many of those who study the history.

Put succinctly, American’s don’t want the US Army riding through our privately owned fields and we don’t want the government riding through our privately owned computers either.

More Recent History: The DoJ and FBI began taking more proactive action over a decade ago. Changes to authorities allowed for the takedown of the Coreflood botnet (under court order) and in Dec 2016 changes to authorities enabled judges to issue warrants for computer search and seizure that stretch beyond existing jurisdictions when certain criterial were met and warrants for search were used since then. There were also reports in 2017 of FBI changing some routing information in computers to take down a botnet.

But something just changed. The activity of April 2021 (detailed below) is unique.  This was not taking over a botnet and issuing a kill command or changing routing. And this was not seizing computers and searching for evidence. This was fixing computers!

I’m absolutely of mixed emotion here. I still do not want the US government operating unchecked in private computers.  But on the other hand, I don’t want the Communist Party of China operating unchecked in our computers either.

Which brings us to the news.  The Justice Department just announced a court-authorized effort to disrupt the exploitation of many computers that are running the Microsoft Exchange system that had a CCP supported vulnerability.

Here is the story, from the DoJ press release:

The Justice Department today announced a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level e-mail service.

Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access e-mail accounts and place web shells (which are pieces of code or scripts that enable remote administration) for continued access. Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized. Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated. Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path). This is unrelated to Microsoft’s 13 April announcement.

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”

“Combatting cyber threats requires partnerships with private sector and government colleagues,” said Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas. “This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals. We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches.”

“This operation is an example of the FBI’s commitment to combatting cyber threats through our enduring federal and private sector partnerships,” said Acting Assistant Director Tonya Ugoretz of the FBI’s Cyber Division. “Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners. The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions.”

My analysis:

  • This was done under a court order.
  • It is legal
  • It was done to keep the CCP out of our systems
  • Any owner of privately owned computers that did not want this done could have fixed their computers themselves. Since they did not, they do not have any reason to complain.
  • I support this. But would recommend we all track it closely and ensure as more action like this is done in the future that it always be done in ways that protects US privacy and property rights.
Tagged: China
Bob Gourley

About the Author

Bob Gourley

Bob Gourley is an experienced Chief Technology Officer (CTO), Board Qualified Technical Executive (QTE), author and entrepreneur with extensive past performance in enterprise IT, corporate cybersecurity and data analytics. CTO of OODA LLC, a unique team of international experts which provide board advisory and cybersecurity consulting services. OODA publishes OODALoop.com. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency.