When contemplating the behind-the-scenes mania that has surely transpired in the fallout from recent headline-grabbing data hacks, it might be assumed that the targeted organizations are left to self-solve or rely on costly outsourced security stopgaps. In the case of Hafnium’s campaign to exfiltrate sensitive data from as many as 68,000 Microsoft Exchange Server accounts, vested interest has made the U.S. government into the sole solutions braintrust. For good or bad, network owners aren’t made privy to the quality or extent of this assistance, and are often unwittingly cooperating with an FBI investigation. This instance of unsolicited help from a federal agency has reignited the debate about government privileges and public-private alliances.
Hafium’s web shell embedding procedure has dumbfounded security provisioners and Microsoft’s own team. Despite introducing a plethora of patches and tool centers to put victims on the path to recovery, malicious code removal and guaranteed prevention of future incidents are out of grasp with current resources. An April decision from the U.S. District Court for the Southern District of Texas granted the Department of Justice a search warrant to dive into the mail servers. The warrant covers network entry to access web shells, replicate compromised passwords, and copy shells for evidence before termination. To date, this clandestine effort from the FBI has been effective in at least deleting the malignant coding as it continues to appear.
Prevention will be an entirely different matter, as the court’s authorization does not extend much further. The FBI can only access servers insofar as web shell identification is concerned, with no knowledge of the contents. Victims are still exposed to similar attacks because agents are not allowed to remove the actual malware. Although a warrant is in place, the FBI overrode consent in the interest of urgency and volume. The power of government mandate has certainly hastened malicious code removal, but with organizations left in the dark, this could be a uneasy precedent for intermixed public-private sector relations.
Troy Gill, Manager at security firm Zix, said, "I believe this involvement by the FBI is seen as much appreciated from the private sector when it comes to protecting against nation-state attacks. Right now it is as if the private sector is fighting these nation-state attacks with one hand tied behind our backs, especially when our adversaries are pulling no punches. We will continue to see more government involved when it comes to mitigating vulnerabilities." Standards of privacy will suffer, but it has become increasingly clear that the government is willing to go full throttle against cyber threats. Calls for transparency may go unanswered.
This new wave of government intervention is a natural continuation from more than a decade of ostensibly proactive cybercrime strategies. The FBI is able to override The Computer Fraud and Abuse Act and operates its malicious code retrieval without requiring additional access privileges due to an alteration to the Federal Rules of Criminal Procedure in 2016. The creation of the U.S. Cyber Command in 2010 signaled that deterrence by denial would be the de facto line of protection; the multi-layered approach to “defense in depth” is meant to create as many obstacles as possible for potential hackers. Ultimately, that line of thinking has given network infiltrators an opportunity to exercise their notorious adaptability and strike fear into the hearts of cybersecurity gurus. A cross-sector meeting of the minds to establish a uniform cybersecurity game plan for the U.S. is long overdue.