The FBI has remotely wiped malware from more than 4,000 US computers.
Update, January 17, 2025: This story, originally published on January 15, now includes further technical analysis and timelines of the PlugX malware by threat operations experts and information about the implications of the FBI using remote methods to delete the files in question.
The threat of cyberattack is never far away, be it from Amazon ransomware actors with an impossible-to-recover threat, or Windows zero-day exploits and even hacking the iPhone’s USB-C port. Fortunately, the Federal Bureau of Investigation is also never far away when it comes to warnings about such attacks and hacker threats. But eyebrows are sure to be raised after the FBI and Department of Justice have confirmed that thousands of US computers and networks were accessed to remove malware files remotely. Here’s what you need to know.
FBI court-authorized operation remotely wipes PlugX malware from 4,258 US computers
The US Department of Justice and the FBI have confirmed that a court-authorized operation allowed the remote removal of malware files from 4,258 US-based computers. The operation, which targeted the PlugX variant of the malware as used by what are said to be China-backed threat actors, was, the January 14 statement said, designed to take down a version of PlugX used by the group known as Mustang Panda or Twill Typhoon. , capable of controlling infected computers to steal information.
According to court documents, the DOJ said, the government of the People’s Republic of China “paid the Mustang Panda group to develop this specific version of PlugX,” which has been in use since 2014 and has infiltrated thousands of computer systems in campaigns targeting victims. american.
“The FBI acted to protect American computers from further compromise by PRC-sponsored hackers,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division, adding that the announcement “reaffirms the FBI’s commitment to protecting the American people by using its full range. of legal authorities and technical expertise to counter the cyber threats of nation states.”
Thousands of US computers and networks, estimated at 4,258 by the DOJ, were identified by the FBI in the technical operation to detect and wipe out the malware threat remotely. The first of nine warrants was obtained in August 2024 in the Eastern District of Pennsylvania authorizing the deletion of PlugX from US-based computers, the last of which expired on January 3. “The FBI tested the commands, confirmed their effectiveness, and determined that they did not otherwise affect the legitimate functions of the infected computers or the collection of content information from the infected computers,” the statement said.
“This widespread hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” said U.S. Attorney Jacqueline Romero for the Eastern District. of Pennsylvania. “The Justice Department’s court-authorized operation to wipe out the PlugX malware demonstrates its commitment to a ‘whole of society’ approach to protecting US cybersecurity.”
Analyzing PlugX – Malware Deleted by the FBI
Max Rogers, senior director of the security operations center at Huntress, explained that PlugX, which is also known by some threat intelligence analysts as Destroy-RAT or SOGU, is an old malware family that has a history dating back to since 2009. It’s a “testament to PlugX’s adaptability and sophistication” that “it remains a primary tool of choice for threat actors and could potentially see use spanning two decades,” he said Rogers. One of the critical factors for this longevity and robustness is the plugin-based design of the malware. The modular approach “allows it to be customized over time and adapted to the specific needs of each operation,” Rogers warned, “making it very effective against target organizations.” Also providing a “distinct advantage” to the threat actors behind PlugX campaigns is its ability to communicate over multiple protocols. While most malware relies on the Hypertext Transfer Protocol, PlugX can use the Transmission Control Protocol, the User Data Protocol, the Domain Name System, and even the Internet Control Message Protocol to communicate with the server. of command and control. “This versatility,” said Rogers, “makes network-level detection and mitigation much more challenging, demonstrating the continued evolution of cyber threats.”
Security and Threat Operations Expert Speaks Out About FBI FBI PlugX
“The FBI’s coordinated effort with French agencies to disrupt PlugX demonstrates the power of international cooperation in combating cyber threats,” said Chris Henderson, senior director of threat operations at Huntress, “gaining control of the command and control server of malware and by leveraging its native self-delete functionality, they have successfully removed a significant threat from thousands of infected machines.” Henderson also noted that the careful planning used in the run-up to the actual file deletions, in particular “the inclusion of a statement assessing the potential impacts of remediation,” emphasized the importance of ensuring that such actions do not cause unintended harm to target systems.
