DOJ Confirms FBI’s Major Operation to Eradicate Chinese Malware from Thousands of US Computers
In a significant development in the realm of cybersecurity, U.S. authorities have successfully disrupted the operations of a state-sponsored Chinese hacking group known as “Twill Typhoon.” This group has been implicated in a long-standing espionage campaign that has affected millions of computers worldwide.
Details of the Cybersecurity Operation
On August 2024, the Department of Justice and the FBI announced that they had executed a court-authorized operation to eliminate malware associated with the Twill Typhoon hacking group from thousands of infected systems across the United States.
Collaboration with French Authorities
The operation was spearheaded by French authorities, with crucial support from the Paris-based cybersecurity firm Sekoai. According to a press release from French prosecutors, the malware, identified as “PlugX,” had compromised millions of computers globally, impacting approximately 3,000 devices in France.
Impact of the Malware
Sekoai revealed in a blog post that it developed a method to send commands to the infected devices, enabling the deletion of the PlugX malware. U.S. authorities confirmed the malware was eradicated from over 4,200 computers in the United States.
Background of the Malware
In documents filed in federal court in Pennsylvania, the FBI noted that the PlugX malware has been monitored since as early as 2012. This malware, typically installed via a computer’s USB port, has been utilized by Chinese state-backed hackers since 2014.
- Functionality of PlugX: Once installed, it collects and stages the victim’s computer files for exfiltration.
- Espionage Use: French authorities identified PlugX as primarily designed for espionage activities.
Accusations Against the Chinese Government
The U.S. Justice Department has accused the Chinese government of funding the Twill Typhoon group to develop the PlugX malware. Despite these allegations, China has consistently denied any involvement in hacking activities.
Victims of the Hacking Campaign
While specific victims have not been disclosed, the FBI indicated that Twill Typhoon had infiltrated a variety of government and private organizations, notably:
- European shipping companies
- Several European governments
- Chinese dissident groups
- Various governments in the Indo-Pacific region
Growing Threat from Chinese Hacking Groups
Twill Typhoon is part of a broader trend of Chinese state-sponsored hacking groups, including:
- Volt Typhoon: Focused on preparing for destructive cyberattacks.
- Salt Typhoon: Involved in large-scale hacking of U.S. telecommunications firms.
According to Microsoft, Twill Typhoon (formerly referred to as “Tantalum”) has had success in compromising government systems across Africa and Europe, as well as humanitarian organizations globally.
Ongoing Cybersecurity Measures
This operation is part of a series of court-authorized actions by U.S. authorities to combat the escalating threat from foreign adversaries targeting American systems. Throughout 2024, the FBI has executed multiple operations aimed at malware removal and disrupting malicious botnets, particularly those associated with Chinese-backed cyber campaigns.
U.S. national security officials have previously characterized the Chinese government’s offensive cyber capabilities as an “epoch-defining threat.”
For more information on cybersecurity initiatives and updates, visit the Department of Justice website.
