The decision by the Department of Justice announced Tuesday to dismantle ‘hundreds’ of web shells installed using Exchange Server vulnerabilities, mitigating the threat to private servers in bulk, is being hailed as a landmark use of a new authority. But the move also invited concern among some in the cybersecurity community about the lack of any clear standard for when and how government may hack private systems.
A widely adopted patch had already been available for the servers, which are believed to be breached by Chinese espionage groups Microsoft dubbed “Hafnium” and separate criminal groups. But the patch only closed the vulnerability used to install the web shells, not delete web shells already installed. The DoJ, with a court order, removed those shells.
“We say cyber is the only domain where we ask the private sector to defend itself. Not anymore,” said Kiersten Todt, managing director of the small business advocacy group the Cyber Readiness Institute.
While the Department of Justice has been involved in botnet takedowns in the past, they came through sinkholing servers. The web shell operation announced Tuesday night involved sending a command to servers for the shells to delete themselves. It is the first time the DoJ is believed to have used this capability at any scale.
Five years ago, providing the DoJ the authority to request warrants to do this was extremely controversial. Until the end of 2016, it was against the Rules of Criminal Procedure to issue warrants to impinge upon computers in bulk or without being able to identify where the computer actually was. As the rules evolved, civil liberties activists and several lawmakers worried that giving law enforcement the pervasive ability to hack unknown systems in bulk would invite potential mass surveillance or even liability. What would happen, several people worried, if an invasive gesture damaged a system?
The web shell operation did not turn out to be particularly invasive, and there is no damage reported so far from the shells being removed. There has not been a tremendous amount of pushback against the move.
“Although the search warrant lays out the statutes authorizing the activity, I wonder what the implications would be for any potential damages that occurred with removing the web shells,” said Rick Holland, chief information security officer at Digital Shadows, via email.
“The FBI did conduct an ‘internal FBI testing process’ and also consulted with an ‘outside expert,’” he said, quoting the Department of Justice’s announcement of the operation, “but anyone that has worked in IT knows that when you remove software, there can be unintended consequences (e.g., bricking a server).”
Holland wasn’t alone.
“I do wonder about some of the precedent and legal landscape that will inevitably wander through as a result of activities like this becoming more proactive and prevalent on behalf of the FBI,” said Tim Wade, technical director of the CTO team at Vectra. “Mistakes will be made and they will make headlines as well,” said Doug Howard, CEO of the managed detection and response firm Pondurance.
Worth noting that everyone contacted for this story thought that the web shell operation was a step in the right direction. Many still had questions about hypotheticals, even while praising the government for addressing serious risk. The Hafnium campaign was broad and not just by espionage standards, implanting webshells on thousands of computers.
“The Chinese recklessly compromised everyone on the planet that was running Exchange Server,” said Dmitri Alperovitch, co-founder and former chief technology officer of CrowdStrike who now heads the Silverado Instititute cybersecurity policy think tank.
The web shells were not protected by unique passwords, said Alperovitch; they could be coopted by any group and not just Hafnium. Patching the vulnerabilities did not mitigate the web shells, meaning many people who patched their servers who had already been infected would continue leaving systems vulnerable to the internet indefinitely if nothing was done.
On balance, said Alperovitch, the DOJ made a decision that mitigated far more risk than what a well-tested kill command would create.
“It was a lot less invasive than what the Chinese were doing. The people that are complaining about this should be complaining about the Chinese going in and exploiting your system,” he said.
Alperovitch, a well known hawk for governments taking proactive, offensive cyber measures, endorsed more frequent use of this tactic. He added, however, that it could never be a full solution to the problem. Even in the recent case, the federal operation only targeted a single web shell being used by a single actor where multiple actors and shells were in play.
More moderate voices, like Cyber Readiness Institute’s Todt, agreed.
“If I'm a company that had the shell in my system and I either didn't know about it, or knew about it but didn't know how to get rid of it, I'd be pretty happy that the government came in and fixed it for me,” she said
The central question, said Todt, a former executive director of the Obama administration’s Presidential Commission for Enhancing National Cybersecurity and a former staffer for the House Homeland Security Committee, is why now and when next. What triggers this kind of action? If the decision was made on the fly, can those criteria be abstracted for the next incident?
If there is a process in place, she said, businesses of any size may do well to accept a federal wingman for occasional defense.
“But that's going to require a mindset shift, and industry to see government as a trusted partner. And it is through actions and not words that we get there," Todt said. "So the hope is that this becomes a catalyst for that trusted engagement of industry. ‘You've asked us to step in and help you in different experiences. So we've done that.’”