Schneier on Security: FBI Deletes PlugX Malware from Thousands of Computers

Jan 16, 2025

—

Source URL: https://www.schneier.com/blog/archives/2025/01/fbi-deletes-plugx-malware-from-thousands-of-computers.html
Source: Schneier on Security
Title: FBI Deletes PlugX Malware from Thousands of Computers

Feedly Summary: According to a DOJ press release, the FBI was able to delete the Chinese-used PlugX malware from “approximately 4,258 U.S.-based computers and networks.”
Details:
To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is operated by the hacking group. According to the FBI, at least 45,000 IP addresses in the US had back-and-forths with the command-and-control server since September 2023.
It was that very server that allowed the FBI to finally kill this pesky bit of malicious software. First, they tapped the know-how of French intelligence agencies, which had …

AI Summary and Description: Yes

Summary: The text discusses a significant operation by the FBI where they managed to eliminate a Chinese-used malware called PlugX from over 4,000 U.S. computers. The operation involved collaboration with French intelligence and highlights key methods in countering cyber threats, particularly in relation to command-and-control servers.

Detailed Description: The efforts of the FBI in addressing the PlugX malware incident reveal significant insights into modern cybersecurity operations and the methods used for malware neutralization.

– **Malware Context**: PlugX is a type of malware attributed to Chinese hacking groups that allows unauthorized access to infected systems.
– **Command-and-Control Mechanism**: The malware operates by connecting to a server controlled by hackers, enabling them to communicate with the infected machines.
– **Incidence Scale**: The FBI noted that approximately 45,000 IP addresses in the U.S. interacted with the malware’s command-and-control server since September 2023.
– **Collaborative Tactics**: The FBI leveraged the expertise of French intelligence, which had discovered a self-destruction technique for the malware.
– **Cybersecurity Operation**: The FBI accessed the command-and-control server, queried for infected IP addresses, and sent a command that effectively instructed PlugX to self-delete from the compromised systems.

These actions illustrate a proactive and sophisticated approach to cybersecurity, emphasizing the importance of international collaboration in combating cyber threats. For security and compliance professionals, this case highlights the necessity of continuous monitoring of command-and-control infrastructures and the potential for real-time remediation of widespread malware infections.

1 2 3 4 5 a access Act AI and Arch art as based by C Chinese hacking Chinese hacking group Chinese hacking groups collaboration collaborative collaborative tactics command command-and-control command-and-control servers compliance compliance professionals compromised systems compute computer Context continuous monitoring control control mechanism cyber cyber threat cyber threats Cybersecurity cybersecurity operations D de DOJ e effective end EU exp expertise FBI first for French intelligence g Gen Group hack hacker hackers hacking hacking group hacking groups high Highlight HR http HTTPS in incident information infrastructure insights Intel intelligence intelligence agencies inter intern international collaboration IRS k l Labor least led low mac machine malicious software malware media ML Modern Monitor monitoring nation network networks neutral no o of on operation over phi PlugX malware pre proactive professionals R rag RCE real real-time remediation s Scale sec security security and compliance security operations self server servers Sig software source SSE structures system systems T tactics Tails tech text the threats Time to Tor TP trie two U.S. unauthorized access up US use uth V Wi x