Search Articles
(CN) — The Department of Justice on Tuesday announced that they had removed invasive malware from more than 4,200 U.S. computers that were targeted by hackers funded by the People’s Republic of China.
The FBI, in conjunction with government and corporate cybersecurity officials in France, deleted “PlugX” malware from thousands of computers across the globe that were targeted by Chinese-based hacker groups “Mustang Panda” and “Twill Typhoon,” according to the Justice Department.
“The Department of Justice prioritizes proactively disrupting cyber threats to protect U.S. victims from harm, even as we work to arrest and prosecute the perpetrators,” said Matthew G. Olsen, assistant attorney general of the Justice Department’s National Security Division, in a press release. “I commend partners in the French government and private sector for spearheading this international operation to defend global cybersecurity.”
The PlugX malware spreads through Windows-based computers’ USB ports, infecting attached USB devices that can further spread the virus, investigators said. When connected to the internet, hackers can then manipulate the infected computers, stealing sensitive data and remotely uploading, downloading and deleting files.
China-based state-sponsored hackers have been using PlugX since at least 2014, according to investigators in an unsealed affidavit filed in the U.S. District Court for the Eastern District of Pennsylvania. In particular, investigators note, the Chinese government paid Mustang Panda to develop the specific version of PlugX at the center of the FBI’s operation.
According to investigators, a multi-year FBI investigation found that Mustang Panda had used this variant of PlugX to infiltrate several governmental and private computer systems across the United States, Europe and Asia, as well as those of worldwide Chinese dissident groups.
While Mustang Panda successfully breached the computer systems, the hackers’ efforts would not last forever. In September 2023, French cybersecurity company Sekoia discovered the server through which Mustang Panda manipulated the infected computers. And by July 2024, French law enforcement had taken control of the infrastructure, French authorities said.
With access to the malware’s control infrastructure, French law enforcement and the FBI exploited the malware’s own code, commanding PlugX to delete all files created on infected computers, stop running and delete itself, all without impacting any of the computer’s legitimate files or functions.
In total, the court-ordered U.S. portions of the operation deleted PlugX from approximately 4,258 American-based computers and networks, according to the Justice Department.
“Leveraging our partnership with French law enforcement, the FBI acted to protect U.S. computers from further compromise by [Chinese] state-sponsored hackers,” said Bryan Vorndran, assistant director of the FBI’s Cyber Division, in a press release. “Today’s announcement reaffirms the FBI’s dedication to protecting the American people by using its full range of legal authorities and technical expertise to counter nation-state cyber threats.”
Chinese Embassy spokesperson Liu Pengyu denied the Justice Department’s assertions of Chinese involvement in a written response to Courthouse News.
“Cyberspace is highly virtual, difficult to trace and has diverse actors,” Liu said. “Tracing the source of cyberattacks is a complex technical issue. We hope that relevant parties will adopt a professional and responsible attitude and base their characterization of cyber incidents on sufficient evidence rather than groundless speculation and accusations.”
“We firmly oppose the US’s unfounded smear attacks on China,” Liu added. “The U.S. should stop using cybersecurity issues to smear China and stop spreading false information about Chinese hacker threats.”
The operation to remove PlugX from U.S. computers marks the latest in a series of recent efforts by the Justice Department to combat cyberattacks perpetrated by actors the department says operate on behalf of nations at odds with the United States.
In January 2024, the department announced it had disrupted a botnet of hundreds of U.S.-based routers controlled by hacker group Volt Typhoon. The department claimed the group had used these routers to conceal attacks by the Chinese government against critical infrastructure in the U.S.
Later in September 2024, the department said it had disrupted an international 200,000-device botnet it claimed was also being operated on China’s behalf by Beijing-based company Integrity Technology Group.
And in February 2024, the department announced it had neutralized a similar botnet of U.S. routers by hacker group Fancy Bear, which the department claimed was operating on behalf of the Russian government.
Follow @JacksonHealsSubscribe to our free newsletters
Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.