The DOJ has disclosed that a multi-month law enforcement operation allowed the FBI to delete PRC-associated PlugX malware from over 4,250 infected computers:
The Justice Department and FBI today announced a multi-month law enforcement operation that, alongside international partners, deleted “PlugX” malware from thousands of infected computers worldwide. As described in court documents unsealed in the Eastern District of Pennsylvania, a group of hackers sponsored by the People’s Republic of China (PRC), known to the private sector as “Mustang Panda” and “Twill Typhoon,” used a version of PlugX malware to infect, control, and steal information from victim computers.
According to court documents, the PRC government paid the Mustang Panda group to, among other computer intrusion services, develop this specific version of PlugX. Since at least 2014, Mustang Panda hackers then infiltrated thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups. Despite previous cybersecurity reports, owners of computers still infected with PlugX are typically unaware of the infection. The court-authorized operation announced today remediated U.S.-based computers infected with Mustang Panda’s version of PlugX.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had the following comment on this news:
“It’s always a good day when the good guys get a win! As simple as it seems for anyone to go in and proactively remove malware, it really isn’t easy to do. First, you’ve got to make sure you can do it legally. That often takes lawyers and legal review, and in most cases, lawyers with experience in global cybercriminals and laws. It takes someone in law enforcement who cares enough to push it. They’ve got to make a case and get it approved by senior management. Then, the removal process has to be tested.”
“In this case, the FBI relied upon the bot’s own removal instructions, but it isn’t always this easy. Historically, there have been instances of less mature and capable but well-meaning defenders who have less elegantly removed malware and caused more problems than the malware did. The solution has to be tested and retested. Then, it has to be globally coordinated to happen as quickly as it can before the attackers know something is up and implement defenses.”
“The overall process is more difficult than it first sounds. There’s a reason why proactive removal isn’t that common. With that said, it does seem like we are seeing just a bit more of these proactive removal projects than we used to see. Of course, expect to see the hackers respond by making it harder for unauthorized removal schemes to take place. It’s a business, and the bad guys see the good guys as adversaries and will respond accordingly. The bad guys won’t sit back and stay defeated. They will respond. They will make it harder for future efforts to be as successful. But for today, let’s celebrate the win!”
Wins seem to be hard to come by these days. Thus I will take this one. But realistically what needs to happen is prevention and detection means need to be better so that actions like these are the exception.
Related
This entry was posted on January 15, 2025 at 12:20 pm and is filed under Commentary with tags DoJ. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
DOJ Discloses Operation That Deleted PlugX Malware from 4,250 Hacked Computers
The DOJ has disclosed that a multi-month law enforcement operation allowed the FBI to delete PRC-associated PlugX malware from over 4,250 infected computers:
The Justice Department and FBI today announced a multi-month law enforcement operation that, alongside international partners, deleted “PlugX” malware from thousands of infected computers worldwide. As described in court documents unsealed in the Eastern District of Pennsylvania, a group of hackers sponsored by the People’s Republic of China (PRC), known to the private sector as “Mustang Panda” and “Twill Typhoon,” used a version of PlugX malware to infect, control, and steal information from victim computers.
According to court documents, the PRC government paid the Mustang Panda group to, among other computer intrusion services, develop this specific version of PlugX. Since at least 2014, Mustang Panda hackers then infiltrated thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups. Despite previous cybersecurity reports, owners of computers still infected with PlugX are typically unaware of the infection. The court-authorized operation announced today remediated U.S.-based computers infected with Mustang Panda’s version of PlugX.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had the following comment on this news:
“It’s always a good day when the good guys get a win! As simple as it seems for anyone to go in and proactively remove malware, it really isn’t easy to do. First, you’ve got to make sure you can do it legally. That often takes lawyers and legal review, and in most cases, lawyers with experience in global cybercriminals and laws. It takes someone in law enforcement who cares enough to push it. They’ve got to make a case and get it approved by senior management. Then, the removal process has to be tested.”
“In this case, the FBI relied upon the bot’s own removal instructions, but it isn’t always this easy. Historically, there have been instances of less mature and capable but well-meaning defenders who have less elegantly removed malware and caused more problems than the malware did. The solution has to be tested and retested. Then, it has to be globally coordinated to happen as quickly as it can before the attackers know something is up and implement defenses.”
“The overall process is more difficult than it first sounds. There’s a reason why proactive removal isn’t that common. With that said, it does seem like we are seeing just a bit more of these proactive removal projects than we used to see. Of course, expect to see the hackers respond by making it harder for unauthorized removal schemes to take place. It’s a business, and the bad guys see the good guys as adversaries and will respond accordingly. The bad guys won’t sit back and stay defeated. They will respond. They will make it harder for future efforts to be as successful. But for today, let’s celebrate the win!”
Wins seem to be hard to come by these days. Thus I will take this one. But realistically what needs to happen is prevention and detection means need to be better so that actions like these are the exception.
Share this:
Like this:
Related
This entry was posted on January 15, 2025 at 12:20 pm and is filed under Commentary with tags DoJ. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.