At a meeting with reporters hosted by George Washington University, Assistant Attorney General for National Security John Demers said that the Department of Justice is actually establishing guidelines for malware takedowns, and that such action would not be a "a tool of first resort."
Demers' comments specifically refer to the decision made recently to forcibly remove web shells from "hundreds" of infected Microsoft Exchange servers. While widely endorsed as an appropriate move, those actions spurred questions among the cybersecurity community about when and how often the DoJ would step in.
"Now that we've had this experience, that's the kind of discussion that we're having now internally," he said, stressing that it would not be "a tool of first resort that we're going to be using many times a week, as different intrusions come up."
The DoJ announced on April 13 that it had obtained a court order to send a command to one variety of web shell installed by the Hafnium group on to privately owned, on-premises Exchange servers forcing the malware to delete itself. While the FBI and DoJ made an effort to notify owners that the malware had been removed, it did the removal without prior consent of servers' owners.
Demers called the decision critical, as both foreign espionage and criminal groups were taking advantage of the webshells that had remained in place despite months of warnings from the government and Microsoft. He detailed the amount of work that went into trying to make such a move as safe as possible.
"This does require working with the private sector in the right solution; it does require testing, to be sure that you're not going to otherwise disrupt someone's computer system," he said. Referring to the three-month lag between the Exchange vulnerabilities being announced and the DoJ action, Demers said: "It takes a while to decide to do these, and it takes a while to on the technical side to make sure that you're doing it right; that you're doing it very carefully and judiciously."
The DoJ action was one of the first of its kind and scale, using recently acquired authorities under the judicial code of conduct rule 41. While it received praise from security experts, there were several questions about how the authority would be used, with what standards and criteria, moving forward, both at home and abroad.
A similar action taken by Europol to remove Emotet botnet malware from global servers operated using a completely different playbook. The Europol move was pre-announced, while the DoJ's was not. Europol's move involved bespoke coding, while the DoJ's did not. And Europol did not notify any of the owners of the systems affected.
Demers said the department would evaluate the Exchange operation to try to generalize future standards, beyond a requirement to get a warrant.
"I see us going forward sort of developing more formally a framework for when we would use these operations and what thresholds would have to be met,'" he said. "What's happening now is an after action to what we did."
