Currently, the FBI has the power to view and erase software from privately owned machines without the owners’ knowledge or permission.
It’s part of a government campaign to stop attacks on Microsoft Exchange-based enterprise networks, and it’s a first-of-a-kind interference that’s posing legal concerns about how far the government can go.
The search warrant was approved by the US District Court for the Southern District of Texas on April 9, enabling the US Department of Justice to carry out their investigations.
The FBI is removing malicious malware that hackers use to take control of a victim’s computer. The code has been used by hackers to gain access to a large number of private email messages and to initiate ransomware attacks.
The Justice Department’s jurisdiction and the FBI’s execution of the operation set significant precedents. They also present concerns about courts’ ability to control cybersecurity without the permission of the computers’ owners.
The vast spectrum of cyber threats that the United States faces necessitates public-private collaboration. It does, however, present difficulties, such as deciding how far the government should go in the interest of national security. Congress and the courts must also keep an eye on this delicate balancing act.
Hacking groups have been gaining access to email accounts via zero-day exploits in Microsoft Exchange since at least January 2021.
The hackers took advantage of this access to install web shells, malware that allows them to monitor vulnerable computers and networks remotely.
On March 2, 2021, Microsoft revealed that a hacker community known as Hafnium had been installing web shells with special file names and paths using various zero-day exploits.
Even with the software and updates Microsoft and cybersecurity companies have released to assist victims, administrators will find it difficult to uninstall the malicious code.
Hundreds of these mail servers in private networks are being used by the FBI.
The search warrant enables the FBI to gain access to the web shells, enter a newly found password for a web shell, copy the web shell for evidence, and then erase it.
The FBI, on the other hand, was not allowed to delete any other malware that hackers might have mounted during the breach or to gain access to the servers’ contents.
The nature of the FBI’s actions to delete the site shells, as well as the extraordinary interference into privately held servers without the owners’ permission, make this case exceptional.
Because of the vast number of unprotected devices in US networks and the urgency of the challenge, the FBI conducted the operation without permission.
The action demonstrates the Justice Department’s commitment to using “all of our legal tools,” Assistant Attorney General John Demers said in a statement.
Given that the figure is redacted in the court papers, the exact number of infected companies is unknown, although it may be as much as 68,000 Exchange servers, possibly affecting millions of email users.
New malware attacks on Microsoft Exchange servers continue to emerge, and the FBI is taking court-ordered steps to delete the malicious code.
With the creation of US Cyber Command in 2010, the Obama administration started a transition toward a more aggressive US cybersecurity approach.
At the time, the emphasis was on prevention by denial, which meant making machines more difficult to hack.
This involves using complex defense, also known as defense in depth, to make breaking into networks more complicated, costly, and time-consuming.
The solution is to go after hackers, which is referred to as a “defend forward” approach.
Since 2018, the US government has increased its defense posture, as shown by measures taken against Russian groups during the 2018 and 2020 election cycles, when US Cyber Command staff detected and thwarted Russian online misinformation campaigns.
In reaction to the SolarWinds spying program, the Biden administration has continued this pattern by imposing new sanctions on Russia.
The assault, which the US government blames on Russian intelligence-linked hackers, exploited flaws in commercial applications to gain access to US government agencies.
This latest FBI action, too, stretches the boundaries of aggressive protection, this time to clean up the effects of domestic violations without the targeted entities’ knowledge – or permission.
The Electronic Fraud and Abuse Act makes it unlawful to gain unauthorized access to a computer. However, the government is exempt from this rule.
Because of an amendment to Rule 41 of the Federal Rules of Criminal Procedure in 2016, the FBI now has the authority to delete malicious code from private computers without obtaining authorization.
This revision was made in part to make it easier for the US government to combat botnets and assist other cybercrime investigations in cases where the suspects’ whereabouts were unclear.
It allows the FBI to gain access to devices that are not subject to a search warrant.
This action demonstrates the history, as well as the force, of courts acting as de facto cybersecurity authorities, allowing the Department of Justice to clean up large-scale implementations of malicious technology like the Exchange breach.
With the FBI’s new activity, important legal questions remain unanswered. The first is the issue of liability.
What if the FBI’s method of deleting the malicious code caused harm to privately owned computers?
In situations like this, another question is how to strike a balance between private property rights and national security needs.
What is obvious, though, is that the FBI could break into computers at will under this jurisdiction, even without the need for a formal search warrant.