FBI Confirms Files Deleted from 4,258 U.S.-Based Computers
A former FBI agent uses a laptop in his office.
Updated January 17, 2025: This article, originally published on January 15, now includes a more in-depth technical analysis and timeline of the PlugX malware by threat operations experts, as well as information on the implications of its use by the FBI remote team. -s. methods for deleting the files in question. The threat of a cyberattack is never far away, whether it's Amazon ransomware with an unrecoverable threat, Windows zero-day exploits, or even the iPhone's USB-C port hack. Fortunately, the FBI is never far away when it comes to alerts about such hacking attacks and threats. But eyebrows are sure to be raised a bit when the FBI and the Department of Justice confirm that thousands of American computers and networks have access to remotely delete malicious files. Here's what you need to know.
Forbes
Google's 'Perpetual Hack' Attack Steals Passwords and 2FA - Act Now
By Davey Winder
FBI Court-Authorized Operation Remotely Removes PlugX Malware from 4,258 US Computers
The US Department of Justice and the FBI have confirmed that a court-authorized operation resulted in the remote deletion of malicious files from 4,258 US-based computers. The operation, which targeted a variant of the PlugX malware used by Chinese-backed threat actors, was, according to the January 14 statement, designed to destroy a version of PlugX used by the group known as Mustang Panda or Twill Typhoon, which was capable of taking control of infected computers to steal information.
According to court documents, the Justice Department said the government of the People's Republic of China "paid the Mustang Panda Group to develop this specific version of PlugX," which has been in use since 2014 and has infiltrated thousands of U.S. campaign computer systems.
"The FBI has acted to protect American computers from further compromise by PRC-sponsored hackers," said Bryan Vorndran, assistant director of the FBI's Cyber Division, adding that the announcement "reaffirms the FBI's commitment to protecting the American people by using the full range of legal authorities and technical expertise to counter nation-state cyber threats."
symbol
Thousands of American computers and networks, estimated at 4,258 by the Justice Department, were identified by the FBI during the technical operation aimed at remotely detecting and removing the malware threat. The first of nine orders was obtained in August 2024 in the Eastern District of Pennsylvania authorizing the removal of PlugX from U.S.-based computers, the last of which expired on January 1. 3. "The FBI tested the commands, confirmed their effectiveness, and determined that they did not affect the legitimate functions of the infected computers or collect information about their contents," the statement said.
Forbes
Millions of registered Google users warned about data theft vulnerability
By Davey Winder
"This large-scale hacking and long-term infection of thousands of Windows computers, including many personal computers in the United States, demonstrates the audacity and aggressiveness of state-sponsored PRC hackers," said U.S. Attorney Jacqueline Romero for the Eastern District of Pennsylvania. . . "The Department of Justice's court-authorized operation to remove the PlugX malware demonstrates its commitment to a 'whole-of-society' approach to protecting America's cybersecurity."
Analysis of PlugX, malware removed by the FBI
Max Rogers, senior director of the security operations center at Huntress, explained that PlugX, also known to some threat intelligence analysts as Destroy-RAT or SOGU, is a long-standing malware family whose history dates back to 2011. 2009. It is a "testament to the adaptability and sophistication" of PlugX that "remains a tool of choice for threat actors and could be used for two decades," Rogers said. One of the key factors in this longevity and persistence is the malware's plugin-based design. The modular approach "allows it to be customized over time and tailored to the specific needs of each operation," Rogers warns, "making it highly effective against targeted organizations." Another "notable advantage" for the threat actors behind PlugX campaigns is its ability to communicate across multiple protocols. While most malware relies on the Hypertext Transfer Protocol, PlugX can use the Transmission Control Protocol, the User Data Protocol, the Domain Name System, and even the Internet Control Message Protocol to communicate with its command and control. "This agility," Rogers said, "makes detection and mitigation at the network level much more difficult, demonstrating the ongoing evolution of cyber threats."
Forbes Daily: Join over 1 million Forbes Daily subscribers and get our top stories, exclusive reports, and essential analysis of the day's news delivered to your inbox every weekday.
"The FBI's coordinated effort with French agencies to disrupt PlugX demonstrates the power of international cooperation in combating cyber threats," said Chris Henderson, senior director of threat operations at Huntress. "By taking control of the server's command and control system, the malware and exploiting its native self-deletion functionality were able to remove a significant threat from thousands of infected machines." Henderson also emphasized that the careful planning used to direct the removal of the current file, particularly "the inclusion of a statement assessing the potential impact of the remediation," underscored the importance of ensuring that such actions do not cause unintended harm to the targeted systems.
[attachment deleted by admin]