U.S. authorities have confirmed that they disrupted the operations of a Chinese state-backing hacking group, which infiltrated millions of computers worldwide to steal data as part of a years-long espionage campaign.
The Department of Justice and the FBI said on Tuesday that they had successfully deleted the malware planted by the China-backed hacking group, known as “Twill Typhoon” or “Mustang Panda,” from thousands of infected systems across the United States during a court-authorized operation in August 2024.
French authorities led the operation with assistance from Paris-based cybersecurity company Sekoai. In a press release last year, French prosecutors said the malware — known as “PlugX” — had infected several million computers globally, including 3,000 devices located in France.
Sekoia said in a blog post that it developed the capability to send commands to infected devices in order to delete the PlugX malware. U.S. authorities said that the operation was used to delete the malware from more than 4,200 infected computers in the United States.
In court records filed in the federal court in Pennsylvania, the FBI said it had observed the malware — typically installed on a target’s device through a computer’s USB port — since as early as 2012, and that the malware had been used by Chinese state-backed hackers since 2014.
Once installed, the malware goes on to “collect and stage the victim’s computer files for exfiltration,” the FBI said. French authorities say the PlugX malware is “used in particular for espionage purposes.”
In its statement Tuesday, the U.S. Justice Department accused the Chinese government of paying the Twill Typhoon group to develop the PlugX malware. China has long denied U.S. allegations of hacking.
While specific victims of this hacking campaign have not been named, the FBI says that Twill Typhoon infiltrated the systems of “numerous’ government and private organizations, including in the United States. Significant targets include European shipping companies, several European governments, Chinese dissident groups, and various governments throughout the Indo-Pacific region, according to the FBI.
Twill Typhoon joins the growing list of Typhoon-monikered Chinese state-sponsored hacking groups. This list includes Volt Typhoon, a group of Chinese government hackers tasked with setting the stage for destructive cyberattacks, and Salt Typhoon, the China-backed group responsible for the mass hacking of U.S. phone and internet companies.
According to Microsoft, which developed the naming system for hacking groups, Twill Typhoon (previously known as “Tantalum”) has a history of successfully compromising government machines across Africa and Europe, and humanitarian organizations worldwide.
Microsoft did not immediately respond to TechCrunch’s questions on Tuesday.
