The U.S. Department of Justice and the FBI have officially confirmed the successful disruption of a massive espionage campaign orchestrated by a China-backed hacking group. In a court-authorized operation conducted in August 2024, federal authorities remotely purged the “PlugX” malware from over 4,200 infected systems across the United States.
The Operation Against “Twill Typhoon”
The operation targeted the hacking collective known as “Twill Typhoon” (also identified as “Mustang Panda”). This state-sponsored group is accused of infiltrating millions of devices globally to facilitate long-term data theft. While the U.S. led the domestic cleanup, the broader effort was spearheaded by French authorities with critical technical support from the Paris-based cybersecurity firm Sekoia, which developed the command-based protocol to neutralize the malware.
According to official DOJ documentation, the PlugX malware has been a persistent threat since 2012, with Chinese state-backed actors utilizing it for espionage purposes since 2014. The code is typically deployed via compromised USB ports, allowing attackers to stage and exfiltrate sensitive files from victim devices.
Global Reach and Strategic Targets
While the FBI has not disclosed the names of specific victims, the scope of the infiltration was extensive. Targets identified by federal investigators include:
- Government agencies and private organizations within the U.S.
- European shipping companies and various European governments.
- Chinese dissident groups.
- Multiple government entities throughout the Indo-Pacific region.
French prosecutors noted in a press release that the malware had compromised several million computers worldwide, with at least 3,000 devices identified in France alone.
A Pattern of State-Sponsored Cyber Warfare
Twill Typhoon represents just one segment of a broader, aggressive cyber-espionage apparatus. The group joins a list of “Typhoon” entities, such as Volt Typhoon—noted for targeting critical infrastructure—and Salt Typhoon, which recently executed mass hacks against major U.S. telecommunications providers.
Microsoft, which tracks these threat actors, identifies the group as having a long history of compromising government systems across Africa and Europe, as well as international humanitarian organizations. Despite the mounting evidence, the Chinese government continues to deny all U.S. allegations regarding state-sponsored hacking.
Rising Tensions in Cyberspace
This operation is part of an increasingly proactive stance by U.S. national security officials, who have characterized China’s offensive cyber capabilities as an “epoch-defining threat.” Throughout 2024, the FBI has intensified its use of court-ordered interventions to dismantle botnets and remove malicious software, signaling a shift toward more aggressive disruption of foreign cyber operations targeting American infrastructure.