A Press release Monday revealed the availability of an FBI agent who tried to block threats from the “Hafnium” group and others on Microsoft Exchange servers earlier this year. Right patches and to alleviate the problem for many, there were several servers left as the attackers set up internet shells to continue their remote access. Investigations say the bullets would have been difficult for other supervisors to detect and remove on their own.
FBI Hafnium bullets especially (e.g. is described in criminal cases), as it identifies them on the server with the US, accessing them remotely using passwords that they verify and issuing an order to remove themselves, disrupting the group’s demands. An investigative order requested by the FBI allowed it to do so, delaying notifying server administrators. It received permission on April 9th to carry out the project for up to 14 days, as well as permission to delay the notice for 30 days.
According to the Justice Department, “The project did a great job of copying and removing the bullets. However, it did not address any issues with Microsoft Exchange Server for zero days or search or remove any criminal or malicious tools that hackers may have lost to cybercriminals. “
The FBI now claims to be sending email to the owners of the servers and is “attempting to provide court-ordered information to all or computer users who have removed the bullets from the hijacker.” Although we do not know the first FBI action on government servers after an attack, Wires Kim Zetter describes how it worked on the Coreflood botnet in 2011 by sending an order to the infected machine to close, as well as by the court. The Department of Justice and Microsoft have not commented on the matter in public.