French authorities are currently investigating a suspected Chinese espionage campaign that has infected thousands of networks in the country. The Paris Public Prosecutor’s Office recently announced that they have launched a preliminary investigation into a network of machine zombies, or botnets, that were used for espionage purposes. This hacking campaign, which was uncovered by French cybersecurity firm Sekoia in 2023, involved the distribution of the PlugX remote access Trojan, resulting in the infection of 3,000 machines in France since 2020.
The French National Police’s digital unit has taken the lead in restoring the affected devices, starting the disinfection operation on July 18. According to the Paris Public Prosecutor’s Office, the operation is expected to continue for several months, with approximately a hundred victims already benefiting from the disinfection process within hours of its commencement, primarily in France. Devices in other European countries, including Malta, Portugal, Croatia, Slovakia, and Austria, have also been restored by French authorities. The Prosecutor’s Office has assured that French victims will be individually notified by the National Information Systems Security.
PlugX, also known as Destroy RAT and Kaba, has been operating since 2008 and provides attackers with backdoor capabilities to gain full control of infected devices remotely. This particular variant of PlugX has been associated with Chinese advanced persistent threat (APT) groups such as VioletTyphoon, Mustang Panda, and Wicked Panda. Sekoia’s analysis of the campaign revealed the use of a previously unseen worm variant of PlugX attributed to the Chinese APT group Mustang Panda. The campaign, which began in 2020, was spread through infected flash drives, allowing the malware to copy itself to the host, establish persistence, and infect new connections every 30 seconds.
Sekoia estimated that the campaign has targeted millions of devices in over 170 countries, indicating that the botnet operators’ motive is to infect as many victims as possible across multiple countries, including offline devices. The cybersecurity firm managed to take control of the botnet’s command-and-control server and developed a disinfection tool that was provided to the police force for use in the operation. A Sekoia spokesperson explained that it is up to each local authority to decide and manage the disinfection campaign in their respective countries.
Overall, the French government’s investigation into this suspected Chinese espionage campaign underscores the ongoing threat of cybercrime and the need for international cooperation to combat such malicious activities. As technology continues to advance, it is crucial for cybersecurity experts and law enforcement agencies to work together to protect networks and devices from cyber threats and ensure the safety and security of individuals and organizations worldwide.