The FBI hacked hundreds of computers in the United States running compromised versions of Microsoft Exchange software and removed malicious web shells in response to a Chinese state-sponsored hack disclosed at the end of February.

Late Tuesday night, the U.S. Justice Department announced the court-authorized operation to shore up vulnerable computers across the country. It’s part of an ongoing public-private effort to mitigate a major security flaw that allowed hackers to access email accounts of at least 30,000 U.S. organizations and 250,000 globally. Microsoft blamed Hafnium, a Chinese state-sponsored hacking group, for the attack.

Although Microsoft issued patches, and the U.S. government urged “ALL organizations across ALL sectors” to update their Microsoft Exchange Server email software and address the vulnerabilities, hundreds of companies didn’t heed the warnings or were too late. Even after Microsoft fixed the bugs, more than 10 other advanced persistent threat groups in addition to Hafnium exploited the flaws for espionage, coin mining, and to deploy ransomware.

In its April 13 announcement, the Justice Department said the FBI removed one of the early hacking group’s remaining web shells that it could have used to maintain persistent access to U.S. networks.

“Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners,” said Acting Assistant Director Tonya Ugoretz of the FBI’s Cyber Division in a statement. “The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions.”

While most cybersecurity practitioners applauded the Justice Department’s move to mitigate the Microsoft Exchange vulnerabilities, some said the FBI accessing private companies’ computers without their knowledge raises privacy concerns.

“It’s noteworthy that this action was performed on behalf of the Justice Department and the FBI,” Kyle Hanslovan, CEO and co-founder of Huntress, said in an email to SDxCentral.

“I think it’s very important to keep U.S. intelligence agencies like NSA focused on their foreign targets and away from infringing on civil liberties,” he continued. “The use of courts to authorize the FBI’s disruption effort is a solid initial framework to ensure these actions stay focused on increasing security and are restricted from indirect intelligence targeting. Now that this effort has come to light, it’s time to optimize the way government and private industry partnerships work, establish rules of engagement for when the inevitable failed remediation occurs, and emphasize the need for public transparency after a response action has occurred.”

The U.S. National Security Agency, also on Tuesday, alerted Microsoft to more critical vulnerabilities that hackers could use to remotely compromise Exchange email systems.

“Cybersecurity is national security. Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors,” NSA Director of Cybersecurity Rob Joyce said in a statement. “Don’t give them the opportunity to exploit this vulnerability on your system.”

Microsoft promptly released security updates for the new vulnerabilities in the 2013, 2016, and 2019 versions of Exchange Server, and said it’s not aware of any active exploits. “However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats,” the Microsoft Security Response Team wrote in a blog post.