The FBI has remotely wiped malware from more than 4,000 US computers.
Update, January 16, 2025: This story, originally published on January 15, now includes analysis from a threat operations expert about the FBI’s PlugX remote malware deletion activity.
The threat of cyberattack is never far away, be it from Amazon ransomware actors with an impossible-to-recover threat, or Windows zero-day exploits and even hacking the iPhone’s USB-C port. Fortunately, the Federal Bureau of Investigation is also never far away when it comes to warnings about such attacks and hacker threats. But eyebrows are sure to be raised after the FBI and Department of Justice have confirmed that thousands of US computers and networks were accessed to remove malware files remotely. Here’s what you need to know.
FBI court-authorized operation remotely wipes PlugX malware from 4,258 US computers
The US Department of Justice and the FBI have confirmed that a court-authorized operation allowed the remote removal of malware files from 4,258 US-based computers. The operation, which targeted the PlugX variant of the malware as used by what are said to be China-backed threat actors, was, the January 14 statement said, designed to take down a version of PlugX used by the group known as Mustang Panda or Twill Typhoon. , capable of controlling infected computers to steal information.
According to court documents, the DOJ said, the government of the People’s Republic of China “paid the Mustang Panda group to develop this specific version of PlugX,” which has been in use since 2014 and has infiltrated thousands of computer systems in campaigns targeting victims. american.
“The FBI acted to protect American computers from further compromise by PRC-sponsored hackers,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division, adding that the announcement “reaffirms the FBI’s commitment to protecting the American people by using its full range. of legal authorities and technical expertise to counter the cyber threats of nation states.”
Thousands of US computers and networks, estimated at 4,258 by the DOJ, were identified by the FBI in the technical operation to detect and wipe out the malware threat remotely. The first of nine warrants was obtained in August 2024 in the Eastern District of Pennsylvania authorizing the deletion of PlugX from US-based computers, the last of which expired on January 3. “The FBI tested the commands, confirmed their effectiveness, and determined that they did not otherwise affect the legitimate functions of the infected computers or the collection of content information from the infected computers,” the statement said.
Security and Threat Operations experts speak openly about the FBI FBI PlugX
“The FBI’s coordinated effort with French agencies to disrupt PlugX demonstrates the power of international cooperation in combating cyber threats,” said Chris Henderson, senior director of threat operations at Huntress, “gaining control of the command and control server of malware and by leveraging its native self-delete functionality, they have successfully removed a significant threat from thousands of infected machines.” Henderson also noted that the careful planning used in the run-up to the actual file deletions, in particular “the inclusion of a statement assessing the potential impacts of remediation,” emphasized the importance of ensuring that such actions do not cause unintended harm to target systems.
