Federal Law Enforcement
No Server Left Behind: The Justice Department’s Novel Law Enforcement Operation to Protect Victims
The U.S. Department of Justice announced on April 13 that it undertook a law enforcement operation in the preceding days to remove malware from hundreds of victim systems in the United States. A state-sponsored group referred to as HAFNIUM (as attributed by Microsoft and reporters, but not yet the U.S. government) compromised the systems in question using recently discovered zero-day vulnerabilities in Microsoft Exchange Server—an on-premises software used by tens of thousands of entities to provide corporate email services. Using a search and seizure warrant, the FBI accessed the malware left by hackers on servers located in the United States and issued a command to copy and subsequently delete the malware from those servers. The Justice Department operation contributed to disrupting what security experts (including on Lawfare) have referred to as a reckless and indiscriminate hacking campaign against tens of thousands of victims.
The Strategic Context for the Operation
The operation signals that the Justice Department is willing to take novel and increasingly robust action as part of the department’s long-standing strategy to protect American businesses and individuals from foreign cyber operations—particularly those executed by well-funded, state-sponsored actors. Whereas the FBI could have simply notified each of the hundreds of victims that their systems were compromised (a process that would have taken time and still left victims at risk of continued compromise), the Justice Department instead took proactive action to disable malware that was being used to infiltrate networks across the United States. Although the department has undertaken botnet disruptions in the past, this operation goes beyond those in its scope and strategic approach.
As FBI Director Christopher Wray noted recently at a World Economic Forum event, “tackling the cyber threat one case at a time isn’t going to cut it.” Wray’s comments reflect the Justice Department’s view that the role of federal law enforcement in defending the nation from cyber threats extends beyond just pursuing criminal investigations long after the damage has been done. Instead, law enforcement can play a role in remediating the impact of widespread hacking campaigns, and in vindicating a recognition that information-sharing efforts and victim notifications will inevitably leave some entities exposed. In this case, although a patch was released by Microsoft at the beginning of March and the number of infected systems dropped in subsequent weeks thanks to sustained government and private-sector education campaigns, the perpetrators left behind web shells that were difficult for some organizations to find and eliminate. These web shells are a type of malware used to maintain long-term access to a victim environment, even after the web server vulnerabilities are patched.
The law enforcement operation comes at a time of urgent discussion within the U.S. government, private sector, and academia regarding how the U.S. government can respond meaningfully to state-sponsored cyber intrusions like HAFNIUM and the SolarWinds compromise. On April 15, the administration issued new sanctions against Russia and expelled Russian diplomats, among other things, in response to the SolarWinds intrusion and election interference. More actions are likely on the way. Although the public has yet to see—and may never learn—the full scope of the U.S. government’s response to either intrusion, this law enforcement operation is likely to be one of the most tangible ways in which the U.S. government exercises its unique authorities to disrupt hacking activity and directly protect victims. Other actions such as public attribution, sanctions, criminal charges and diplomatic demarches are important, too, but those actions are focused more on deterrence than on remediation and recovery.
The Legal Context for the Operation
This operation was conducted pursuant to a search and seizure warrant under Rule 41 of the Federal Rules of Criminal Procedure, a set of rules adopted by the judicial branch to govern criminal proceedings in federal courts. Among other things, Rule 41 permits a federal law enforcement officer to petition a judge to issue a warrant “to use remote access to search electronic storage media and to seize or copy electronically stored information” in cases where the government is investigating damage to protected computers.
In this case, the warrant authorized the FBI to access several hundred identified web shells on compromised Microsoft Exchange Servers believed to be located in the United States, and to copy and subsequently delete the web shells from those servers. Notably, law enforcement did not access or copy the contents of any of the target systems but merely “issu[ed] a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).” The warrant states that it “does not authorize the seizure of any tangible property” and “does not authorize the seizure or copying of any content from  electronic storage media ... or the alteration of the functionality of  electronic storage media.” In short, the operation was targeted to avoid any access or impact to the affected servers beyond the malware file itself.
Although warrants are sometimes thought of in the digital context as being used only to obtain copies of electronic evidence, the government’s search and seizure authority has never been limited in that manner. Here, law enforcement exercised the authority under Rule 41 to “seize” the malware by deleting it from victim servers. Law enforcement’s authority to seize evidence or instrumentalities of a crime comes into play in the noncyber realm when seizing narcotics from a drug bust or seizing the contents of a safety deposit box at a bank.
Over the years, the Justice Department has relied on a number of novel criminal and civil authorities to disrupt criminal botnets including Coreflood (2011), Gameover Zeus (2014), Kelihos (2017), VPNFilter (2018), Joanap (2019) and Emotet (2021). Some of those cases relied on the same seizure authority in Rule 41, which was amended in 2016 to make it easier to conduct these kinds of coordinated takedowns. Among other things, the 2016 amendments to Rule 41—which were proposed by the department and approved by the judicial branch—allow one judge to review an application for a warrant in certain computer-crime cases where the warrant affects computers in multiple (or unknown) districts. Previously, the Justice Department would have needed to get a separate warrant in each district where a computer is located.
The Novelty of the Operation and the Important Questions It Raises
Although clearly rooted in legal authority, the operation goes beyond what the Justice Department had done before. In prior disruptions, law enforcement generally accessed and manipulated command-and-control infrastructure or malware distribution servers that were being used by criminals to control victim computers, or used other technical means to disrupt communications between command-and-control infrastructure and victim computers. This appears to be the first time Justice has used criminal law authorities to access the systems of downstream victims on a wide scale to remove or disable malware.
The closest analog to this operation is the 2011 Coreflood disruption, which involved the Justice Department seizing command-and-control servers and replacing them with law enforcement systems that would respond to infected botnet computers with a command to temporarily stop the malware from running on the infected computer. But in that case, the law enforcement servers only responded to a data request from infected computers rather than accessing those computers, and victims were also given information on how to “opt out” from the law enforcement action “if for some reason they want to keep Coreflood running on their computers.” The recent Emotet disruption is also analogous, but in that case, the steps that involved the command-and-control infrastructure communicating with downstream victim computers were taken by foreign law enforcement rather than the U.S. government.
The operation implicates important questions about the circumstances under which law enforcement should execute search and seizure warrants against victim premises and property. Observers would be rightly concerned if a law enforcement operation involved the FBI indiscriminately going onto victims’ computers and seeing what is there. And there’d be similar concern if such operations caused collateral consequences on the systems or resulted in law enforcement obtaining nonpublic information from them. Law enforcement typically would not barge into the home of a victim of a crime with a search warrant, when they could simply knock on the door. Indeed, Justice Department regulations provide that “[a] search warrant should not be used to obtain documentary materials believed to be in the private possession of a disinterested third party” when “a subpoena, summons, request, or other less intrusive alternative means” exists to obtain the materials, and those alternative means would not compromise the investigation. But those regulations also recognize that the immediacy of the government’s need—including “whether the immediate seizure of the materials is necessary to prevent injury to persons or property”—is an appropriate consideration for whether to use a warrant.
It is important to have a robust discussion about where to draw the line with respect to the circumstances and manner in which law enforcement may access victim systems, but this operation falls on the right side of the line. The Justice Department acted in response to a reckless, “pillage everything” hacking campaign by state-sponsored actors that implicated national interests (rather than purely individual ones). Many of the remaining victims were believed to be medium and small businesses that were outmatched by the adversary, and the FBI likely did not have a reliable means to contact each victim in an expeditious manner. The operation involved targeted action that accessed and deleted only the malicious web shells deployed by the hackers and did not search, seize, or otherwise impact any other files or services on the victim systems. (Unfortunately, for this reason the operation also didn’t patch systems to remove the original vulnerability exploited by the hackers, so impacted entities remain at risk of reexploitation.) And, although the Justice Department did not obtain victims’ consent, it acted pursuant to court authorization, ensuring that a neutral arbiter reviewed the operation and its impact on victims. Last, the department sought to quickly unseal information about the operation and to take steps to notify affected parties.
In short, the effort deserves praise. And if the U.S. government is serious about taking more aggressive steps to proactively protect U.S. businesses and individuals from significant foreign cyber threats, it should continue to execute operations like this one to protect victims across the United States.