The FBI has successfully removed malware from over 4,000 computers in the United States using remote methods.
Update: This story, which was initially published on Jan. 15, has been updated with additional technical analysis and timelines of the PlugX malware from threat operations experts. It also includes information about the implications of the FBI’s use of remote methods to delete the files in question.
The possibility of a cyberattack is always looming, whether it be from Amazon ransomware perpetrators unleashing an insurmountable threat or hackers exploiting Windows zero-day vulnerabilities or even compromising the iPhone USB-C port. Fortunately, the Federal Bureau of Investigation (FBI) is actively involved in issuing alerts and cautionary statements regarding these attacks and hacker threats. However, recent revelations from the FBI and Department of Justice might raise a few eyebrows, as they confirm that numerous computers and networks across the United States were remotely accessed to eliminate malware files. Let’s delve into the details.
Court-Authorized FBI Operation Remotely Deletes PlugX Malware From 4,258 U.S. Computers
This Article Includes
The U.S. Department of Justice and the FBI have officially confirmed that they conducted a court-authorized operation to remotely eliminate malware files from 4,258 computers located in the United States. The operation specifically targeted the PlugX malware variant, which is known to be utilized by threat actors with alleged ties to China. The objective of the operation, as stated in the Jan. 14 statement, was to neutralize a specific version of PlugX employed by the group known as Mustang Panda or Twill Typhoon. This version of PlugX enabled the group to assume control over infected computers for the purpose of stealing sensitive information.
The Department of Justice (DoJ) has stated in court documents that the Mustang Panda group was paid by the Chinese government to create a customized version of PlugX. This particular version has been active since 2014 and has successfully infiltrated numerous computer systems, targeting victims in the United States.
According to Assistant Director Bryan Vorndran of the FBI’s Cyber Division, the FBI took action to safeguard U.S. computers against further compromise by state-sponsored hackers from the People’s Republic of China (PRC). He emphasized that this announcement demonstrates the FBI’s commitment to protecting the American people by utilizing its extensive legal authorities and technical expertise to combat cyber threats originating from nation-states.
The FBI has identified thousands of computers and networks in the United States, estimated to be around 4,258 according to the Department of Justice. In an operation aimed at detecting and removing malware remotely, the FBI obtained nine warrants starting from August 2024 in the Eastern District of Pennsylvania. These warrants authorized the deletion of PlugX from computers based in the US, with the last one expiring on January 3. The FBI thoroughly tested the commands to ensure their effectiveness without affecting the legitimate functions or collecting content information from the infected computers.
U.S. Attorney Jacqueline Romero for the Eastern District of Pennsylvania emphasized the audacity and assertiveness of state-sponsored hackers from the People’s Republic of China (PRC), as evidenced by the extensive hacking campaign and persistent infection of numerous Windows-based computers, including personal computers within the United States. The Department of Justice’s authorized operation to eradicate the PlugX malware underscores its dedication to safeguarding U.S. cybersecurity through a comprehensive, collective effort.
Analyzing PlugX—The Malware Deleted By The FBI
According to Max Rogers, senior director of the security operations center at Huntress, PlugX, also known as Destroy-RAT or SOGU, is a well-established malware family that has been around since 2009. Rogers emphasizes that the longevity and sophistication of PlugX make it a preferred tool for threat actors, with the potential for usage spanning two decades. One of the key reasons for its endurance and resilience is its plugin-based design, allowing for customization and adaptation over time to suit specific operations. This adaptability makes PlugX highly effective against targeted organizations.
In addition, the ability of PlugX to communicate over multiple protocols gives the threat actors a significant advantage. While most malware relies on the Hypertext Transfer Protocol, PlugX can utilize the Transmission Control Protocol, User Datagram Protocol, Domain Name System, and even the Internet Control Message Protocol to establish communication with its command-and-control server. Rogers highlights that this versatility makes it extremely challenging to detect and mitigate at the network level, showcasing the ongoing evolution of cyber threats.
Security And Threat Operations Expert Speaks Out About The FBI PlugX Deletions
Chris Henderson, senior director of threat operations at Huntress, emphasized the significance of the collaborative effort between the FBI and French agencies in disrupting PlugX. According to Henderson, this successful operation serves as a testament to the power of international cooperation in combating cyber threats. By taking control of the malware’s command-and-control server and utilizing its native self-delete functionality, the authorities effectively eliminated a significant threat from numerous infected machines.
Henderson further noted the meticulous planning that preceded the actual file deletions. Specifically, he highlighted the inclusion of an affidavit that assessed the potential impacts of remediation. This careful approach underscores the importance of ensuring that such actions do not inadvertently harm the targeted systems.