With court order, FBI removes hundreds of Exchange Server web shells from US organizations

It's one of the most aggressive actions taken yet by U.S. government or corporate officials to combat the Exchange Server vulnerabilities.
FBI seal

The FBI has used a court order to remove malicious code from hundreds of U.S. computers running the Microsoft Exchange Server email program, Justice Department officials announced Tuesday.

The court-ordered removal of the web shells, or scripts used by hackers for persistent access, is one of the most aggressive actions taken yet by U.S. government officials or corporate executives to combat the Exchange Server vulnerabilities since Microsoft announced on March 2 that suspected Chinese spies were exploiting them. The alleged Chinese hackers used the flaws to steal emails from targeted organizations, according to private-sector analysts, but an array of scammers have since exploited the bugs for their own purposes.

In the days after Microsoft revealed the vulnerabilities, incident responders estimated that tens of thousands of U.S. organizations running Exchange Server could be exposed to potential hacking. Many of those organizations have removed the web shells, but Justice Department officials said they asked for the court order because other organizations “appeared unable” to clean up their systems.

The U.S. District Court for the Southern District of Texas gave the FBI permission to issue a command through the web shells to a server that deleted the web shells, the Justice Department said in a press release. It was unclear from which U.S. organizations the web shells were removed. The FBI said it was attempting to notify all organizations affected.


“Initially the targets [of the Exchange Server hacking] were high-value intelligence targets in the United States,” the FBI said in an affidavit supporting its application for a search warrant. “The scope of targets later expanded.”

The work to remediate the compromises nevertheless continues. A senior Department of Homeland Security official has said that thousands of computer servers with updated Exchange Server software had already been breached.

In a separate development, the National Security Agency said Tuesday that it had alerted Microsoft to a new set of vulnerabilities in Exchange Server that hackers could exploit to remotely access email inboxes. Microsoft said it was not aware of any customers that had been hacked using the new vulnerabilities.

You can read the court documents online.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts