
With at least thirty-thousand Microsoft exchange servers known to have been successfully infiltrated and compromised by a new advanced persistent threat group, dubbed “Hafnium”, the Federal Bureau of Intelligence took direct steps to address the threat: they pursued and were granted a court order allowing them to go in and remove malware from servers known to have been compromised. Previously the FBI took a more passive response to cyber threats by posting a public bulletin explaining a threat and offering to assist any victims of it.
However, the SolarWinds attack appears to have sparked a change in how the FBI will respond to threats which they perceive to be particularly dangerous. A judge granter the FBI’s request to go after each compromised exchange server and remove the PowerShell script installed by Hafnium. This court order did not allow the FBI to setup backdoors, monitor the server, or otherwise interact with its contents. By removing the PowerShell, the FBI was able to prevent the exchange server from being further compromised, however this may only be a temporary solution as the vulnerabilities which allowed the exchange server to be compromised in the first place may still be present.
This is not the first time the FBI has requested a court order to execute a cyber action of their own, however it does differ in scope: traditionally, the FBI uses court orders to go after botnets or critical cyber infrastructure which supports illegal activity rather than excising vulnerabilities from law-abiding servers.