The US Justice Department and FBI have completed a law enforcement operation to delete Chinese malware from approximately 4,258 U.S.-based computers and networks. The international operation was led by French law enforcement and France-based private cybersecurity company Sekoia.io.
According to court documents unsealed in the Eastern District of Pennsylvania, a group of hackers paid by the People’s Republic of China (PRC), known as “Mustang Panda” and “Twill Typhoon,” used a version of PlugX malware to infect, control, and steal information from victim computers. Since at least 2014, Mustang Panda hackers have infiltrated thousands of computer systems in campaigns targeting US victims, European and Asian governments and businesses, and Chinese dissident groups.
The US authorities see the operation as part of an ongoing fight against nation-state-sponsored hackers infiltrating US computers and networks. It follows hard on the heels of systematic attempts by China to compromise US institutions and critical infrastructure.
In November, the FBI also released a joint statement with the US Cybersecurity and Infrastructure Security Agency (CISA), in which they announced that “China-affiliated actors have compromised networks at multiple telecommunications companies.” This enabled the China-sponsored hackers to listen in on telephone calls and access text messages.
Cyber-espionage is a global threat
The global nature of cyber espionage means that US law enforcement agencies are now working closely with other Western powers to counter the threat. Deleting the Mustang Panda malware from thousands of US computers and networks is an example of this type of international cooperation.
“Leveraging our partnership with French law enforcement, the FBI acted to protect US computers from further compromise by PRC state-sponsored hackers,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.
“The Department of Justice prioritizes proactively disrupting cyber threats to protect US victims from harm, even as we work to arrest and prosecute the perpetrators,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “This operation, like other recent technical operations against Chinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong partnerships to successfully counter malicious cyber activity.”
In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers. The last of these warrants expired on Jan. 3, 2025, thereby concluding the US part of the operation.
However, the FBI continues to investigate Mustang Panda’s computer intrusion activity and strongly encourages the use of anti-virus software as well as the application of software security updates to help prevent reinfection.
