US authorities have confirmed they have disrupted the operations of a Chinese state-backed hacking group that infiltrated millions of computers around the world to steal data as part of a years-long espionage campaign.
The Justice Department and FBI said Tuesday they have successfully eliminated malware installed by the China-backed hacking group, known as “Twill Typhoon” or “Mustang Panda,” from thousands of infected systems in the United States during a court hearing . -operation authorized in August 2024.
French authorities led the operation with assistance from Paris-based cybersecurity firm Sekoia. In a press release last year, French prosecutors said the malware – known as “PlugX” – had infected several million computers worldwide, including 3,000 devices located in France.
Sekoia said in a blog post that it has developed the ability to send commands to infected devices to eliminate the PlugX malware. US authorities said the operation was used to delete malware from more than 4,200 infected computers in the United States.
In court documents filed in federal court in Pennsylvania, the FBI said it observed the malware, usually installed on a target’s device via a computer’s USB port, as early as 2012 and that the malware had been used by state organizations Chinese. hacker since 2014.
Once installed, the malware continues to “collect and organize the victim’s computer files for exfiltration,” the FBI said. French authorities say the PlugX malware is “used primarily for espionage purposes.”
In its statement on Tuesday, the US Department of Justice accused the Chinese government of paying the Twill Typhoon group to develop the PlugX malware. China has long denied US hacking accusations.
While specific victims of this hacking campaign have not been named, the FBI says Twill Typhoon has infiltrated the systems of “numerous” government and private organizations, including in the United States. According to the FBI, significant targets include European shipping companies, several European governments, Chinese dissident groups, and various governments throughout the Indo-Pacific region.
Twill Typhoon joins the growing list of state-sponsored Chinese hacking groups under the Typhoon moniker. This list includes Volt Typhoon, a group of Chinese government hackers charged with setting the stage for destructive cyberattacks, and Salt Typhoon, the China-backed group responsible for mass hacking of U.S. telephone and Internet companies.
According to Microsoft, which developed the naming system for hacker groups, Twill Typhoon (formerly known as “Tantalum”) has a history of successfully compromising government machinery in Africa and Europe and humanitarian organizations around the world.
Microsoft did not immediately respond to questions from TechCrunch on Tuesday.
This is the latest in a long list of court-authorized operations undertaken by US authorities in recent years to counter the growing threat from foreign adversaries targeting American devices. Throughout 2024, the FBI carried out several operations involving the removal of malware and taking control of malicious botnets, with the goal of disrupting China-backed campaigns against U.S. critical infrastructure.
U.S. national security officials have previously described the Chinese government’s offensive cyber capabilities as a “momentous threat.”
