The US Department of Justice, with the FBI, conducted a multi-month operation to remove the PlugX malware from over 4,200 infected computers in the United States. PlugX is a remote access trojan (RAT) widely used by threat actors associated with the People’s Republic of China. This action targeted the command and control infrastructure used by these actors to compromise systems, disrupting their ability to maintain persistent access and conduct further malicious activities on affected networks. The operation underscores the US government’s proactive efforts in combating state-sponsored cyber espionage activities, aiming to neutralize threats before they can be further leveraged for malicious purposes.
The US Treasury Department sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe, and a Shanghai-based hacker, Yin Kecheng, for their involvement in the Salt Typhoon cyberattacks. These attacks targeted major US telecom companies, compromising sensitive data and the US Treasury’s network, including systems used for sanctions and foreign investment reviews, and even impacted the computer of the outgoing Treasury Secretary Janet Yellen. This highlights the ongoing sophisticated cyber espionage campaigns from China targeting critical infrastructure and government entities within the US and globally. The sanctioned entities are directly linked to the Chinese Ministry of State Security (MSS), and used a combination of zero-day exploits and other techniques for infiltrating networks and exfiltrating data. The compromise of the Department of the Treasury’s network is considered a major breach, potentially impacting national security due to access to sensitive information.
The Chinese state-sponsored group, RedDelta, has been actively targeting Mongolia, Taiwan, and Southeast Asia since July 2023. The group uses evolving cyber threats to distribute its customized PlugX backdoor. RedDelta employs spearphishing techniques with lure documents themed around political and cultural events. They have compromised government and diplomatic organizations in multiple countries using adapted infection chains. The group uses Windows Shortcut (LNK), Microsoft Management Console Snap-In Control (MSC) files, and HTML files hosted on Microsoft Azure. They also use Cloudflare CDN to proxy command-and-control (C2) traffic to blend in with legitimate network activity, complicating victim identification.