]
FBI has remotely deleted malware from more than 4,000 US computers.
Update, Jan. 17, 2025: This story, originally published Jan. 15, now includes further technical analysis and timelines of the PlugX malware from threat operations experts and information regarding the implications of the FBI using remote methods to delete the files in question.
The threat of cyberattack is never far away, be that by Amazon ransomware actors with an impossible-to-recover-from threat, or Windows zero-day exploits and even the hacking of the iPhone USB-C port. Luckily, the Federal Bureau of Investigation is also never far away when it comes to warnings about such attacks and hacker threats. But eyebrows will surely be raised just a little as the FBI and Department of Justice have confirmed that thousands of U.S. computers and networks were accessed to remove malware files remotely. Here’s what you need to know.
Court-Authorized FBI Operation Remotely Deletes PlugX Malware From 4,258 U.S. Computers
The U.S. Department of Justice and the FBI have confirmed that a court-authorized operation allowed the remote removal of malware files from 4,258 U.S.-based computers. The operation, targeting the PlugX malware variant as used by what are said to be China-backed threat actors, was, the Jan. 14 statement said, designed to take down a version of PlugX used by the group known as Mustang Panda or Twill Typhoon, capable of controlling infected computers to steal information.
According to court documents, the DoJ said, the People’s Republic of China government “paid the Mustang Panda group to develop this specific version of PlugX,” which has been in use since 2014 and infiltrated thousands of computer systems in campaigns targeting U.S. victims.
“The FBI acted to protect U.S. computers from further compromise by PRC state-sponsored hackers,”Assistant Director Bryan Vorndran of the FBI’s Cyber Division, said, adding that the announcement “reaffirms the FBI’s dedication to protecting the American people by using its full range of legal authorities and technical expertise to counter nation-state cyber threats.”
Thousands of U.S. computers and networks, estimated at 4,258 by the DoJ, were identified by the FBI in the technical operation to detect and delete the malware threat remotely. The first of nine warrants was obtained in August 2024 in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers, the last expired on Jan. 3. “The FBI tested the commands, confirmed their effectiveness, and determined that they did not otherwise impact the legitimate functions of, or collect content information from, infected computers,” the statement said.
“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” said U.S. Attorney Jacqueline Romero for the Eastern District of Pennsylvania. “The Department of Justice’s court-authorized operation to delete PlugX malware proves its commitment to a ‘whole-of-society’ approach to protecting U.S. cybersecurity.”
Analyzing PlugX—The Malware Deleted By The FBI
Max Rogers, senior director of the security operations center at Huntress, explained that PlugX, which is also known by some threat intelligence analysts as Destroy-RAT or SOGU, is a long-standing malware family that has a history dating back to 2009. It’s a “testament to the adaptability and sophistication” of PlugX that “it remains a top tool of choice for threat actors and could potentially see usage spanning two decades,” Rogers said. One of the critical factors accounting for this longevity and resilience is the plugin-based design of the malware. The modular approach “enables it to be customized over time and tailored to the specific needs of each operation,” Rogers warned, “making it highly effective against targeted organizations.” Also providing a “notable advantage” for the threat actors behind the PlugX campaigns is its ability to communicate over multiple protocols. While most malware relies on Hypertext Transfer Protocol, PlugX can utilize Transmission Control Protocol, User Datagram Protocol, Domain Name System and even the Internet Control Message Protocol to communicate with its command-and-control server. “This versatility,” Rogers said, “makes it far more challenging to detect and mitigate at the network level, demonstrating the ongoing evolution of cyber threats.”
Security And Threat Operations Expert Speaks Out About The FBI PlugX Deletions
“The FBI’s coordinated effort with French agencies to disrupt PlugX demonstrates the power of international collaboration in combating cyber threats,” Chris Henderson, senior director of threat operations at Huntress, said, “by gaining control of the malware’s command-and-control server and leveraging its native self-delete functionality, they’ve successfully removed a significant threat from thousands of infected machines.” Henderson also pointed out that the careful planning used in the run-up to the actual file deletions, in particular “the inclusion of an affidavit assessing the potential impacts of remediation,” highlighted the importance of ensuring that such actions do not cause unintended harm to the targeted systems.
