“This is a novel approach,” says April Doss, a former NSA lawyer who currently directs the Institute for Technology Law and Policy at Georgetown Law. “I think we’ll see it used again, but I would hope we see it used again with really careful analysis.”Ticking BombsRather than carefully select valuable targets, Hafnium scoured the internet for vulnerable Microsoft Exchange servers and infected as many as it could, amassing at least 30,000 victims in the United States alone and hundreds of thousands worldwide. It was a mess.
But it also wasn’t quite as bad as those numbers make it sound. Hafnium used its access in that initial sweep to plant web shells, which would allow it to come back later to cause real damage. It essentially left itself 30,000 keys under 30,000 doormats, and would figure out which of those targets it actually cared about later. A disproportionate number of Hafnium victims appear to have been small- to medium-sized businesses, which are more inclined to run a dedicated on-premises Exchange server for their email needs. Most large corporations run their email in the cloud. So Hafnium likely wouldn't care much about many of the entities it hit. (Opportunistic ransomware hackers , though, leapt at the opening Hafnium created.)
By all accounts, the rush to patch Exchange servers has been largely successful, thanks in part to a one-click tool Microsoft released about a month ago. But again, the victims are mostly small- and medium-sized businesses. Many of them don’t have the resources to fix a gaping cybersecurity threat; some may not even realize they have an exposed Exchange server in the first place. Meanwhile, patching protects from future infection, but it doesn’t get rid of the web shell that already snuck through. And so those web shells have lurked, patiently awaiting instructions from the hackers who put them there, ready to cause harm.“You can imagine if there were a circumstance in which some criminal syndicate planted physical bombs in properties spread across half a dozen states,” says Doss. “If the property owners couldn’t be reached, or were off-site and couldn’t get there to take any action, or didn’t have the technical ability to find or defuse the explosive materials, what would DOJ do? They would get a warrant for the FBI to go in.”
The FBI Backs Down Against Apple—Again
Which is what happened last Friday, when a judge granted the FBI a warrant to uninstall those web shells, which turned out not to be an especially difficult task. “The technical part of it is like .5 percent of the work,” says Matt Tait, a former British intelligence analyst who is now the chief operating officer at Corellium, a virtualization and security research company. A web shell has a URL and, in this case, a password associated with it. The FBI had access to both, presumably through threat intelligence and other partners. All the agency had to do was access the web shell, enter the password, and send a command to the server that essentially said “delete me.” Problem solved.