Do governments have a duty to protect you from cybercriminals — even when that protection comes at the cost of your privacy? This isn’t a hypothetical question: it’s the dilemma facing Microsoft Exchange users after recent intrusions by authorities responding to the Hafnium incident. So what happened, and was it justified?
Apr 22, 2021 · 3 min read
Microsoft Exchange Server, a popular email and calendar application, has become the victim of four critical zero-day vulnerabilities. The hackers managed to exploit these vulnerabilities before security patches were released.
These loopholes allowed the Chinese-backed hacker group Hafnium to access the email accounts of various US organizations. The hackers used the vulnerabilities to access the Microsoft Exchange and then controlled the servers remotely using web shells (interfaces that facilitate remote device access). Hackers managed to steal and access email data, implement backdoors, and inject malware.
The attack impacted vital institutions including law enforcement, hospitals, energy companies, prisons, and various government and military organizations, mainly in the US. It then grew exponentially, with breaches affecting other countries such as the UK and Germany.
The US Justice Department has admitted that, following the incident, the FBI used hacking tools to access affected devices. They did so in order to protect them remotely from Hafnium's intrusion, and the operation successfully removed the hacking group’s remaining web shells.
The controversy arises from the fact that the owners of the devices involved were unaware of the FBI's actions. Protecting networks from cyberthreats by accessing individual devices without their owners’ consent sets a worrying precedent.
According to the Justice Department, the covert operation was essential. Microsoft may have successfully patched the vulnerabilities, they argue, but the company didn't close the backdoors in the breached servers, and its initial response to the attack was slow. The FBI
While the FBI's actions may have prevented the threat of rogue agents, they have set a dangerous precedent that could allow for less justifiable violations in the future. It's not hard to imagine governments preemptively hacking apps and devices to combat potential cyberattacks, even in the absence of a specific threat
It would also be worrying to see government agencies hacking private sector entities as a preventative national security measure. Using incidents like the recent Solarwinds breach as justification, the FBI could covertly access the internal systems of any company that works with the US government. It's far too easy to slip towards a world of state-sanctioned privacy infringement.
Governments have a duty of care to their citizens, but the argument that this justifies compromising personal privacy for the greater good is worrying. Many governments already have a huge surveillance apparatus at their fingertips, so normalizing interventions like the Microsoft Exchange hack could erode individual freedoms still further. Moreover, the FBI may ask collaborative courts to implement similar measures in other countries.
With state surveillance on the rise and governments seemingly willing to bend the rules to achieve their own ends, it’s essential that private citizens know how to protect their data. One of the best privacy tools available is a VPN.
With a VPN, you can encrypt your data and ensure that no one spies on your online activity. Even your internet service provider will be unable to monitor and log your data. These services empower individuals, allowing them to protect their privacy from corporate and state intrusion.
Privacy is a right. Take back control of your data with a VPN.