FBI Removes Chinese Malware from US Computers

Disruption of Chinese State-Sponsored Hacking Operation

American law enforcement agencies have verified the successful disruption of a hacking group supported by the Chinese state. This group engaged in a prolonged espionage campaign, compromising millions of computers globally to illicitly obtain data.

Malware Removal Operation

The Department of Justice and the FBI announced on Tuesday the successful removal of malware deployed by the China-linked hacking group, identified as “Twill Typhoon” or “Mustang Panda.” This operation, authorized by a court order in August 2024, targeted thousands of infected systems within the United States.

International Collaboration

French authorities spearheaded the operation, receiving crucial assistance from Sekoia, a Paris-based cybersecurity firm. Last year, French prosecutors revealed that the malware, designated “PlugX,” had infected several million computers worldwide, with 3,000 instances located within France.

Sekoia’s Role in Malware Elimination

Sekoia developed the technical capability to issue commands to compromised devices, enabling the deletion of the PlugX malware. U.S. authorities confirmed that this capability was utilized to remove the malware from over 4,200 infected computers across the United States.

Long-Standing Malware Activity

FBI records filed with the federal court in Pennsylvania indicate observation of the malware – often introduced via a computer’s USB port – dating back to 2012. Evidence suggests its use by Chinese state-affiliated hackers since 2014.

Malware Functionality and Purpose

Upon installation, the malware functions to gather and prepare a victim’s computer files for unauthorized transfer. French authorities have stated that the PlugX malware is specifically designed for espionage activities.

U.S. Accusations and Chinese Denial

The U.S. Justice Department alleges that the Chinese government financially supported the Twill Typhoon group in the development of the PlugX malware. China consistently refutes accusations of hacking attributed to the United States.

Targets of the Hacking Campaign

While specific victims remain unnamed, the FBI reports that Twill Typhoon infiltrated the systems of “numerous” governmental and private sector organizations, including those within the United States. Notable targets include European shipping companies, several European governments, Chinese dissident groups, and governments throughout the Indo-Pacific region.

Part of a Larger Pattern

Twill Typhoon is now included among a growing number of Chinese state-sponsored hacking groups identified by the “Typhoon” designation. This group joins Volt Typhoon, focused on preparing for disruptive cyberattacks, and Salt Typhoon, responsible for extensive hacking of U.S. telecommunications companies.

Historical Compromises

Microsoft, the originator of the hacking group naming convention, notes that Twill Typhoon (formerly known as “Tantalum”) has a documented history of successfully compromising government systems in Africa and Europe, as well as humanitarian organizations globally.

Recent Countermeasures

This action represents the latest in a series of court-authorized operations undertaken by U.S. authorities to address the escalating threat posed by foreign adversaries targeting American systems. Throughout 2024, the FBI has conducted multiple operations involving malware removal and the seizure of control over malicious botnets, aiming to disrupt Chinese-backed campaigns targeting U.S. critical infrastructure.