FBI deleted Chinese malware from 4,200 US computers
The program, dubbed PlugX, was spread by the Twill Typhoon hacking unit, sponsored by China’s central government. The FBI has tracked PlugX variants since 2012, which have been used to remotely access victim computers, execute commands and exfiltrate files stored on those devices, according to court documents provided by the Justice Department.
French law enforcement operatives and French cyber firm Sekoia.io helped identify and craft the commands used to delete the malware from victim devices. The DOJ and FBI in August first received court authorization to conduct the deletion procedures, removing the malware from 4,258 U.S. computers and networks.
Victims were notified through their internet service providers. The particular version of PlugX is spread through USB devices plugged into Windows-based computers and remains on victims’ machines through a method that tricks the computer into running a covert PlugX application when the computer is booted up.
When infected with PlugX, computers are surreptitiously programmed to communicate back to a command-and-control server that’s hard-coded into the malware. The particular central command server that routed back data from victim devices appears to be located in a Tokyo data center, according to a scan of the IP address listed in the court papers.
An unnamed French law enforcement agency gained access to that control server, the documents noted. French authorities in July opened an investigation into the spread of PlugX, noting thousands of machines in France had been infected with malware.
Since 2014, Twill Typhoon has targeted U.S. victims, European and Asian governments and Chinese dissident groups, DOJ said. The hacking unit is one of several nested under a syndicate of “Typhoon” monikers, used by the cybersecurity community to denote a family of Beijing-backed cyber campaigns focused on espionage and critical infrastructure infiltrations.
Salt Typhoon, for instance, has been making waves for its hacks into telecom systems, while Silk Typhoon has recently been identified as the entity that penetrated multiple Treasury Department offices that handle sensitive financial and sanctions data.
U.S. cyber warriors in the coming Trump administration may be authorized to conduct more offensive cyber operations against China and other foreign adversaries in cyberspace, as some in the incoming leadership have voiced support for the tactic.
Rep. Mike Walz, R-Fla., President-elect Donald Trump’s chosen national security advisor, said last month that the U.S. should “start going on offense and start imposing, I think, higher costs and consequences to private actors and nation state actors” that hack into U.S. networks.
“We’re gonna be in your networks, causing mischief, and two could play this game,” GOP chair of the House Armed Services Committee’s cyber and IT subcommittee, Rep. Don Bacon, R-Neb., told Politico on Monday.
The FBI has already conducted a number of takedowns against Chinese actors and others, though many have argued those moves have only served as defensive measures because they haven’t broadly deterred any foreign rivals’ cyber behavior.
“The Department of Justice prioritizes proactively disrupting cyber threats to protect U.S. victims from harm, even as we work to arrest and prosecute the perpetrators,” said Assistant Attorney General Matthew Olsen, who sits in the DOJ’s National Security Division. “This operation, like other recent technical operations against Chinese and Russian hacking groups … has depended on strong partnerships to successfully counter malicious cyber activity.”
]]>