It’s been 17 months since the infamous 2017 Equifax data breach was revealed to have compromised the data of about 147.9 million people (i.e., almost every adult in the U.S., with more than 45 percent of the population directly affected by the incident).
But an investigative report from CNBC found that, curiously, the data hasn’t yet turned up on the Dark Web. According to the outlet’s threat-hunter sources, it’s increasingly looking like it was a spy job, carried out by a nation-state; not criminals bent of ID theft or financial gain.
This is in line with prior warnings from the Feds. For instance, about three years ago, the U.S. Department of Defense issued a warning that foreign nation-state hackers/APTs were targeting not only government contractors, but also academic institutions. The FBI issued a similar warning on the same day, indicating that Chinese hackers were equally interested in compromising sensitive data held by commercial enterprises in the U.S.
Security experts weighed into Threatpost with their thoughts.
“Frankly, I think the bullet point under the headline about it being state-sponsored explains a lot,” Troy Hunt, the researcher behind the HaveIBeenPwned database, told Threatpost. “Actors at that level aren’t looking to cash data in for a few bitcoin and it wouldn’t surprise me in the least if it never sees the light of day. Just think about how many incidents must be out there already that we may never know about simply because those responsible have no reason to advertise it.”
Terry Ray, CTO and Imperva, meanwhile said in an emailed statement,“The way I see it, the fact that the stolen Equifax data hasn’t appeared in 18 months is no ‘great mystery’ at all – it’s just a likely confirmation that the attacker was a nation-state, which aligns with the current trend in global cyberwarfare. These sophisticated state-sponsored hacker armies are no longer just focusing on attacking government agencies and other traditional targets, but also civilian enterprises and civilian data, largely in an attempt to sow discord and confusion.”
He added, “They’re doing it because their efforts can pay off big dividends in the long run when it nets them secret and useful economic, military and national-security information down the road.”
Chris Morales, head of security analytics at Vectra, said that information-gathering for intelligence purposes quite often means that the target is a small subset of people within a large database. For example, a nation-state could be targeting high-profile individuals such as political figures.
However, he added that other theories make sense too.
“An alternative theory would be that the actual target of the Equifax breach was the partnering banks where Equifax has a trusted connection and Equifax was simply a back door to financial theft,” he told Threatpost. “It is possible the attackers simply didn’t achieve their ultimate goal and that the data has not been released out of fear of attribution from the many people hunting for whoever stole the Equifax data. Releasing that data could provide a digital trail to the attackers that isn’t worth the risk of being caught.”
Joseph Carson, chief security scientist at Thycotic, meanwhile told Threatpost that there are many explanations.
“The primary reason that the Equifax breach information has not turned up anywhere online is because the value of keeping it hidden is higher than disclosing it publicly,” he said. “The cybercriminals who performed the hack are the same cybercriminals abusing the data, have sold the data to a nation state, or are acting on behalf of a nation state. Honestly, it is not a big surprise to me as most cybercriminals prefer to remain hidden. In addition, sometimes disclosing the data can lead to identifying the actors behind it.”
Morales added that unraveling the mystery may be a moot point. “We don’t really know, and from a consumer perspective, the damage has been done,” he said. “When I speak with clients, I make a point that it doesn’t matter who is targeting you or why. It only matter that is happening to you right now and that you are able to respond quickly to reduce the impact. Attribution of an attack, as in who and why, becomes more important after the damage is done to understand how to remediate and prevent future attacks.”