A Precedent to Remember: FBI Operation Removed Web Shells from Exchange Servers (Part 1)
This post is Part 1 of a two-part series examining the April 2021 FBI operation to remove malicious web shells from hundreds of systems per a court order.
On April 13, 2021, we learned what I believe will be a monumental event for cybersecurity in the United States. The U.S. Department of Justice announced a “Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities,” detailing an FBI operation to remove malicious files from public-facing email systems. This operation technically commenced on April 9, 2021, per the documents provided. Based on the language in the DOJ’s announcement, it appears this operation has been completed and was successful.
You can view a copy of the DOJ’s announcement here, and a full copy of the unsealed (yet still somewhat redacted) court documents is available here.
At a high level, this operation allowed the FBI to:
- Connect to “hundreds” of exploited computers within the United States and access known web shells,
- Make a copy of the shells, and
- Delete them from the impacted systems.
I think this event sets some interesting precedent for the U.S. government’s response to cyber…