U.S. authorities have charged four Chinese military officers in the 2017 Equifax data breach, which compromised the data of nearly 150 million.
The four, Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, are believed to be members of the 54th Research Institute of the Chinese People’s Liberation Army (PLA), a component of the Chinese military. The Department of Justice (DoJ) alleges that they hacked into the credit reporting agency’s network on the hunt for sensitive Equifax consumer data, as well as valuable Equifax trade secrets.
“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William P. Barr, in a Monday announcement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”
The four, who are still at large, allegedly exploited the flaw in the Apache Struts Web Framework in Equifax’s online dispute portal to obtain login credentials, which they then used to further navigate the company’s network. Over several weeks, they accused of then running 9,000 queries to sniff out and exfiltrate sensitive customer data, including Social Security numbers, birth dates, addresses, and some driver’s license numbers, as well as Equifax trade secret information (including data compilations and database designs).
To avoid detection, the four allegedly routed traffic through 34 servers located in nearly 20 countries, used encrypted communication channels within Equifax’s network to blend in with normal network activity. They are also accused of deleting compressed files and wiping log files on a daily basis in an effort to eliminate records of their activity.
Charges against the four include counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud; as well as counts of unauthorized access and intentional damage to a protected computer, economic espionage and wire fraud. The investigation was conducted jointly by the U.S. Attorney’s Office for the Northern District of Georgia, the Criminal and National Security Divisions of the Department of Justice, and the FBI’s Atlanta Field Office. Equifax cooperated fully and provided valuable assistance in the investigation, according to the DoJ.
“The U.S. government is showing that despite the best efforts of the attackers, [they] are able to trace those attacks back to the source and provide specific attribution of the attack,” Chris Morales, head of security analytics at Vectra, told Threatpost. “This is even though the attackers leveraged multiple tricks to obfuscate their presence, including encrypted hidden tunnels to multiple destinations in nearly 20 countries. Attribution helps to understand how data would be used and for what purpose.”
It’s only the second time that Chinese army officers have been charged by U.S. authorities for hacks. The last time was in 2014, when the DoJ indicted five officers of the Chinese PLA for allegedly hacking into networks run by companies such as U.S. Steel, Westinghouse and Alcoa and stealing proprietary information that allegedly then was passed on to Chinese-owned companies.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” said Barr in a statement.
Equifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when it disclosed the data breach. In January 2020, a Georgia court granted final approval for an Equifax settlement in a class-action lawsuit, in which Equifax will pay $380.5 million to settle lawsuits regarding the 2017 data breach. In addition, Equifax may be required to dole out an additional $125 million “if needed to satisfy claims for certain out-of-pocket losses.”
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.