FBI REMOTELY DELETES CHINESE MALWARE FROM U.S. COMPUTERS
FBI remotely deletes Chinese malware from thousands of U.S. computers in a court-approved cyber move
Global security action targets ‘Mustang Panda’ hackers identified as state-linked data theft group
– The Washington Times –
The FBI and French authorities conducted an international operation to remotely delete Chinese malware used by Beijing-linked hackers to steal data from thousands of U.S., European, and Asian computer networks, the Justice Department disclosed on Tuesday.
The hacking group dubbed “Mustang Panda” and “Swill Typhoon” by security authorities has been paid by the Chinese government since at least 2014 for the use of special malware called PlugX, the department said in a statement.
Court documents unsealed in federal court in Philadelphia charged that the hackers infiltrated Windows-based computers of both government and private sector networks in the U.S. Shipping companies in Europe and several European governments were also hacked, along with Chinese dissident groups and governments throughout the Indo-Pacific region, an FBI affidavit stated.
French law enforcement was able to penetrate the Chinese command-and-control network that was running the hacking operation, the document said. The French then were able to issue a “self-delete” command that eliminated the software on an infected network.
The FBI then applied the same technique on U.S. systems.
FBI agents determined that the counter-malware technique did not impact the legitimate function of the infected networks or collect information from them, the Justice Department said in its statement. The court-authorized actions removed the malware from about 4,258 U.S.-based computers and networks.
The Justice Department disclosure is the latest in a string of damaging Chinese government computer infiltrations uncovered in recent months. Earlier known cyberattacks targeted critical U.S. infrastructure networks, including water networks on Guam, and nine American telecommunications company networks.
Retiring FBI Director Christopher A. Wray, in an exit interview broadcast Sunday, said China’s Communist government posed the greatest long-term threat facing the nation, including from damaging electronic hacking and network penetration operations.
“China’s cyber program is by far and away the world’s largest — bigger than that of every major nation combined — and has stolen more of Americans’ personal and corporate data than that of every nation, big or small, combined,” Mr. Wray said on CBS’s “60 Minutes.”
One key element of Chinese hacking is the pre-positioning of cyber sabotage software inside critical infrastructure networks, he said. The malware allows Beijing “to lie in wait on those networks to be in a position to wreak havoc and can inflict real-world harm at a time and place of their choosing.”
The infiltration includes placing the sabotage access points into networks that control water treatment plants, transportation systems, energy control systems, the electric power grid, and natural gas pipelines.
“And recently we’ve seen targeting of our telecommunications systems,” Mr. Wray said, noting that senior U.S. leaders’ phone communications have been intercepted by Chinese hackers.
A May report on Mustang Panda by U.S. and Canadian security agencies stated that the group is engaged in “political espionage.”
Mustang Panda “extensively targets [nongovernment organizations], religious institutions, think tanks and activist groups across diverse geographic locations, including the United States, Europe, Taiwan, Hong Kong, Tibet, Myanmar, Mongolia, Vietnam, Afghanistan, Pakistan, India and others,” stated the report, produced along with the FBI and Cybersecurity and Infrastructure Security Agency. “Their principal aim revolves around the meticulous surveillance of victim activities coupled with the deliberate endeavor to tarnish and impugn their reputations.”
According to the FBI affidavit, PlugX infiltrated computer networks through a USB drive. Once installed, the malware communicates with a Chinese command and control system that can then steal documents and information, delete files and take control of infected computer networks remotely.
“Mustang Panda employs strategic tactics to entice targets into clicking on links or attachments, often referencing current events, and incorporating malicious versions of legitimate or stolen documents,” the report said.
For example, in January 2022 emails containing links to remote-control units included a decoy European Commission report and a link to a European Union press release on human rights.
“Upon gaining initial access, Mustang Panda utilizes sophisticated techniques for prolonged and covert surveillance,” the report said. “In several instances, the group demonstrated its ability to monitor and exfiltrate data over extended periods, showcasing a capacity to remain undetected within an organization’s network.”
The Justice Department said the U.S.-French operation was able to successfully delete the PlugX malware around the world.
“This operation, like other recent technical operations against Chinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong partnerships to successfully counter malicious cyber activity,” said Matthew G. Olsen, with the Justice Department’s National Security Division, praising the French government and the French cybersecurity firm Sekoia.io for leading the operation.
Wayne Jacobs, special agent in charge of the FBI Philadelphia office, said the Bureau identified deleted malware on thousands of infected U.S. computers.
The scope of this technical operation demonstrates the FBI’s resolve to pursue [Chinese] adversaries no matter where they victimize Americans,” he said.