'British authorities could clean Exchange servers like the FBI did'

British authorities have the legal means to break into vulnerable Exchange servers to remove possible malware. This would allow them to mimic a similar operation to that of the FBI. However, some legal hurdles remain, so unlikely that such an action would actually be performed.

Last week the news came out that the FBI had used its resources to remove backdoors that were installed by hackers on Exchange servers. The intelligence service did this by hacking into the servers itself and removing any installed web shells. The intelligence service focused specifically on one type of web shell and did not install any other patches to resolve the vulnerabilities itself.

Mixed enthusiasm

This action was received with varying degrees of enthusiasm. In general, people were positive and saw the operation as a smart use of the legal means the FBI has at its disposal. However, there are also laws that impose severe penalties for breaking into other people’s equipment and causing damage to a communication system. So if the Exchange servers were to be hindered by the operation, this would raise difficult legal issues.

However, several people are playing with the idea of having the British security services perform a similar operation on vulnerable Exchange servers in the United Kingdom. Ciaran Martin, former chief of the British National Cyber Security Center, reacts enthusiastically to the idea of the FBI on Twitter.

Would love to know more, but at first glance this looks like a creative US Gov’t cyber intervention that is:

– technically astute;
– lawful, though some will understandably be uneasy;
– going to reduce vulnerability to specific cyber harm.

Please tell me what I’ve got wrong! https://t.co/ulsbAztVIg
— Ciaran Martin (@ciaranmartinoxf) April 14, 2021

Legally possible

Tech lawyer Neil Brown tells The Register that British security services can implement the FBI’s idea within their own borders based on a warrant. To do this, a minister must indicate that removing the malware is necessary for the well-being of the British economy. The servers must also be handled with care to ensure that the operation does not result in damage or downtime. After all, this would violate the aforementioned laws on breaking into equipment.

NCSC doesn’t use the opportunity

Therefore, it is technically possible for the NCSC itself to intervene in vulnerable servers, but the agency says it has decided not to do so. “The NCSC has gone above and beyond to support vulnerable and compromised Exchange owners with the removal of webshells, including working with partners and proactive outreach.” Furthermore, the authority advises to always keep up with the latest security updates.