The FBI removed Chinese malware from 4,200 American computers

The FBI said Tuesday it conducted a months-long operation to remove Chinese government-backed malware from more than 4,200 infected U.S. computers that was designed to infect, control and steal information from victims’ machines.

Dubbed PlugX, the program was distributed by Twill Typhoon, a hacking group sponsored by China’s central government. The FBI has been tracking variants of PlugX since 2012 that were used to remotely access victims’ computers, execute commands and extract files stored on those devices, according to the filing. court documents provided by the Ministry of Justice.

French law enforcement officials and French cyber company Sekoia.io helped identify and build the teams used to remove the malware from victim devices. The Department of Justice and the FBI in August received court approval for the first time to conduct a takedown procedure, removing malicious software from 4,258 US computers and networks.

Those affected were notified through their Internet service providers. A particular version of PlugX spreads via USB devices connected to Windows computers and remains on victims’ computers using a method that causes the computer to run a hidden PlugX program when the computer boots.

When infected with PlugX, computers are secretly programmed to communicate with a control server hardcoded into the malware. In accordance with IP address scanning stated in court documents.

An unnamed French law enforcement agency gained access to that control server, the documents state. The French authorities in July an investigation has been opened the spread of PlugX, noting that thousands of machines in France were infected with the malware.

Since 2014, Twill Typhoon has targeted victims in the US, European and Asian governments, and Chinese dissident groups, according to the Department of Justice. The hacking unit is one of several included in the “Typhoon” syndicate, an alias used by the cybersecurity community to refer to a group of Beijing-backed cyber campaigns aimed at spying and infiltrating critical infrastructure.

Salt Typhoon, for example, is gaining notoriety for hacking telecommunications systems, while Silk Typhoon was recently identified as the organization that infiltrated multiple Treasury Department offices that handle sensitive financial and sanctions data.

America’s cyberwarriors in the incoming Trump administration may be authorized to hold more aggressive cyber operations against China and other foreign adversaries in cyberspace, as some members of the new leadership have expressed support for the tactic.

Congressman Mike Walz, R-Fla., President Donald Trump’s national security adviser, said last month that the U.S. should “start attacking and start imposing, I think, higher costs and consequences on private and nation-state actors” who hack US networks.

“We’re going to be in your networks wreaking havoc, and two can play that game,” Don Bacon, R-Neb., chairman of the House Armed Services Committee’s Cyber ​​and IT Subcommittee. told Politico on Monday

The FBI has already conducted a number of deletions against Chinese actors and others, although many argued that these moves only served defensive measures as they did not deter the cyber behavior of any foreign competitors.

“The Department of Justice prioritizes proactively stopping cyberthreats to protect U.S. victims from harm even as we work to arrest and prosecute those responsible,” said Assistant Attorney General Matthew Olsen, who works in the Department of Justice’s National Security Division. “This operation, like other recent technical operations against Chinese and Russian hacking groups … depended on strong partnerships to successfully counter malicious cyber activity.”