FBI Breaks Into Systems To Remove Backdoors From Microsoft Exchange Hacking

The FBI has secretly infiltrated computers infected by the Hafnium Group with its own hacking tools in order to protect hundreds of infected computers, according to a statement released by the US Department of Justice on April 13. An operation that the agency qualifies as a success.

The federal agency says it is now trying to email owners of servers whose “backdoors” it has removed.

the halfnium group had placed backdoors

In January and February 2021, some criminal groups exploited “zero day” (that is, never been reported) vulnerabilities in Microsoft Exchange software to access e-mail accounts and place doors stolen from the servers. It was not until March 2 that Microsoft confirmed the hacking operation had been carried out by a group of hackers affiliated with the Chinese state called Halfnium.

The four vulnerabilities discovered by hackers allowed hackers to break into an Exchange server and steal its content. In the days that followed, other hacker groups also used these vulnerabilities to install ransomware. Businesses using Microsoft 365 (with cloud-hosted email) were not affected.


During the month of March, Microsoft released detection tools and fixes for these four vulnerabilities so that victims can identify and control the threat. However, despite the solutions put in place, hundreds of backdoors remained in various companies.

The FBI-led operation focused on removing the remaining backdoors, but failed to address the vulnerabilities exploited by Halfnium. It also did not find or remove any other malware or hacking tools. A proactive action certainly intended to protect the victims despite their inaction, but the execution of which in secret with an “attempted contact” after the fact can leave doubtful.

“The FBI performed the removal by sending a command to the server through backdoors, designed to have the server remove only backdoors (identified by the unique path of the file),” the department explains. American Justice in the April 13 press release.


The FBI was supported by the entire US government in this operation. He acted under a warrant from the Houston, Texas Court of First Instance authorizing him to “copy and delete” backdoors from infected servers. “Tackling cyber threats requires partnerships with colleagues in the private sector and government,” said Jennifer B. Lowery, Acting US Attorney for South Texas.

In 2016, the Supreme Court authorized US judges to issue search and seizure warrants outside their state. Critics then emerged arguing that the FBI could ask a court inclined to help it authorize cyber operations anywhere in the world. As part of the Microsoft case, it appears that the FBI has for the first time cleaned up private servers following a cyber attack before publicly communicating about its operation.

Back to top button