The U.S. Attorney’s Office in Philadelphia released the below information:
PHILADELPHIA
– United States Attorney Jacqueline C. Romero, the Justice Department, and the
FBI announced today a multi-month law enforcement operation that, alongside
international partners, deleted “PlugX” malware from thousands of infected
computers worldwide.
As described in
court documents unsealed in the Eastern District of Pennsylvania, a group of
hackers sponsored by the People’s Republic of China (PRC), known to the private
sector as “Mustang Panda” and “Twill Typhoon,” used a version of PlugX malware
to infect, control, and steal information from victim computers.
According to
court documents, the PRC government paid the Mustang Panda group to, among
other computer intrusion services, develop this specific version of PlugX.
Since at least 2014, Mustang Panda hackers then infiltrated thousands of
computer systems in campaigns targeting U.S. victims, as well as European and
Asian governments and businesses, and Chinese dissident groups. Despite
previous cybersecurity reports, owners of computers still infected with PlugX
are typically unaware of the infection. The court-authorized operation
announced today remediated U.S.-based computers infected with Mustang Panda’s
version of PlugX.
“This
wide-ranging hack and long-term infection of thousands of Windows-based
computers, including many home computers in the United States, demonstrates the
recklessness and aggressiveness of PRC state-sponsored hackers,” said U.S.
Attorney Romero. “Working alongside both international and private sector
partners, the Department of Justice’s court-authorized operation to delete
PlugX malware proves its commitment to a ‘whole-of-society’ approach to
protecting U.S. cybersecurity.”
“The FBI worked
to identify thousands of infected U.S. computers and delete the PRC malware on
them. The scope of this technical operation demonstrates the FBI’s resolve to
pursue PRC adversaries no matter where they victimize Americans,” said FBI
Philadelphia Special Agent in Charge Wayne Jacobs.
The
international operation was led by French law enforcement and Sekoia.io, a
France-based private cybersecurity company, which had identified and reported on
the capability to send commands to delete the PlugX version from infected
devices. Working with these partners, the FBI tested the commands, confirmed
their effectiveness, and determined that they did not otherwise impact the
legitimate functions of, or collect content information from, infected
computers.
In August 2024,
the DOJ and FBI obtained the first of nine warrants in the Eastern District of
Pennsylvania authorizing the deletion of PlugX from U.S.-based computers. The
last of these warrants expired on January 3, 2025, thereby concluding the U.S.
portions of the operation. In total, this court-authorized operation deleted
PlugX malware from approximately 4,258 U.S.-based computers and networks.
The FBI, through
the victims’ internet service providers, is providing notice to U.S. owners of
Windows-based computers affected by this court-authorized operation.
The FBI’s
Philadelphia Field Office and Cyber Division, the U.S. Attorney’s Office for
the Eastern District of Pennsylvania, and the National Security Cyber Section
of DOJ’s National Security Division led the domestic disruption operation. This
operation would not have been successful without the valuable collaboration of
the Cyber Division of the Paris Prosecution Office, French Gendarmerie
Cyber Unit C3N, and Sekoia.io, a private French cybersecurity technology
company.
The FBI continues to investigate Mustang Panda’s computer intrusion activity. If you believe you have a compromised computer or device, please visit the FBI’s Internet Crime Complaint Center (IC3). You may also contact your local FBI field office directly; FBI Philadelphia can be reached at 215-418-4000. The FBI strongly encourages the use of antivirus software, as well as the application of software security updates to help prevent reinfection.
No comments:
Post a Comment