(by Aaron Holmes, Business Insider) — The Department of Justice charged four members of communist China’s military intelligence with hacking into the credit-reporting agency Equifax in 2017 and stealing about 145 million Americans’ data, Attorney General William Barr said Monday.
The Equifax breach, one of the largest hacks in history, led to a congressional inquiry and the resignation of CEO Richard Smith. Equifax also agreed to pay up to $700 million to settle federal and state investigations into how it handled the breach.
A DOJ announcement on Monday said the four Chinese officers were accused of compromising Equifax’s servers by exploiting an Apache vulnerability, obtaining the names, birthdates, and Social Security numbers of nearly 145 million Americans — about half of all Americans.
“The scale of the theft was staggering,” Barr said.
The nine-count indictment, handed down by a federal grand jury in Atlanta, implied that there may have been more co-conspirators within communist China’s People’s Liberation Army (PLA). The four defendants named (PLA operatives Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei) were charged with conspiracy to commit computer fraud, economic espionage, and wire fraud.
Barr said the DOJ believes the information was harvested to feed China’s development of artificial-intelligence tools.
“For years we have witnessed China’s voracious appetite for the personal data of Americans,” Attorney General William Barr said at a press conference. “This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”
“This was a deliberate and sweeping intrusion into the private information of the American people,” Barr said in a statement, adding, “Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China.”
The indictment also alleged that the hackers stole trade secrets and intellectual property from Equifax. Barr said the hackers went to great lengths to hide their identity, routing traffic through 34 servers in nearly 20 countries.
“In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” Barr said.
Equifax is a consumer-credit-reporting agency headquartered in Atlanta that sells credit-monitoring and fraud-prevention services.
“We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017,” an Equifax representative said in a statement to Business Insider. “It is reassuring that our federal law enforcement agencies treat cybercrime — especially state-sponsored crime — with the seriousness it deserves. The attack on Equifax was an attack on U.S. consumers as well as the United States.”
Sen. Mark Warner, a Virginia Democrat and co-chair of the Senate Cybersecurity Caucus, lauded the DOJ indictment in a statement but also said Equifax was responsible for bolstering its security to prevent such breaches. Warner, along with Sen. Elizabeth Warren of Massachusetts, has introduced a bill to hold credit-reporting agencies accountable for breaches of customers’ data.
“The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” Warner said. “A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care — and face any consequences that arise from that failure.”
Published by businessinsider .com on February 10, 2020. Reprinted here for educational purposes only. May not be reproduced on other websites without permission from Business Insider.
How did they do it?
The hackers first gained access to Equifax’s network no later than May 13, 2017, according to the indictment. They exploited a flaw in the software, known as Apache Struts, that powered Equifax’s dispute resolution portal, which let them steal login credentials for other parts of the network.
They then allegedly spent several weeks hunting for sensitive data, running approximately 9,000 search queries that turned up sensitive data such as Social Security numbers and passport photos. Once they identified the files they wanted to take, they packaged them in a manner designed to avoid detection and transmitted them to overseas computer servers.
“They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity,” the Justice Department said in a press release.
The alleged thefts, which also targeted trade secrets such as Equifax’s proprietary methods of assembling and storing its data, continued through July 30, 2017.
What happens next?
The U.S. does not have evidence that Beijing or anyone else has begun exploiting the stolen information, FBI Deputy Director David Bowdich told reporters.
If the previous cases are any indication, there’s little chance the hackers blamed for the Equifax breach will be apprehended by U.S. officials anytime soon.
Officials routinely acknowledge as much when announcing charges against state-backed hackers, but they say that the charges put bad actors on notice and curtail their ability to live normal lives.
“We’ll keep putting pressure on these bad actors, making sure they understand the risks and the consequences of their actions,” Bowdich said.
(from a Feb. 10 Politic0 report by Eric Geller)