US charges four Chinese military members with Equifax hack

The US has charged the Chinese military with plundering Equifax in 2017.

The Justice Department (DOJ) on Monday released a nine-count indictment that accused four members of the People's Liberation Army (PLA) of being hackers behind the breach, which was one of the largest in US history.

The breach exposed millions of names and dates of birth, taxpayer ID numbers, physical addresses, and other personal information that could lead to identity theft and fraud. Besides the original estimate of 145.5 million Americans who were affected, the breach also hit 15.2 million Brits and some 100,000 Canadians.

The indictment charged the four with a three-month campaign during which they allegedly hacked into computers of the credit-reporting agency and siphoned off the sensitive financial data and other personally identifiable information (PII) from all those people.

The accused are Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei: all members of the PLA's 54th Research Institute, which is part of the Chinese military.

How they allegedly pulled it off

According to the indictment, the four allegedly pried open Equifax by exploiting a vulnerability in the Apache Struts Web Framework software used by the credit reporting agency's online dispute portal.

We already knew it was done via a web app vulnerability and that it was a months-old Struts vulnerability: specifically, a nasty server-side remote code execution (RCE) bug made known to the public in March 2017.

The indictment says that the Chinese military staffers used that access to conduct reconnaissance of Equifax's online dispute portal and to obtain login credentials that could be used to further poke around in Equifax's network.

The defendants allegedly spent weeks running queries to identify Equifax's database structure and searching for sensitive PII within its system. Once they found files that they could exploit, they allegedly stored the stolen information in temporary output files, compressed and divided the files, and were ultimately able to download and exfiltrate the data from Equifax's network to computers outside the US, the indictment charges.

Make that a whole lot of queries against Equifax's system: the alleged attackers ran about 9,000 queries, which returned names, birth dates and taxpayer IDs for nearly half of all American citizens.

The indictment also charges the defendants with stealing trade secret information, namely Equifax's data compilations and database designs.

Attorney General William P. Barr, who announced the indictments, called it “a deliberate and sweeping intrusion into the private information of the American people.”

In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military.

Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet's cloak of anonymity and find the hackers that nation repeatedly deploys against us.

The indictment says that the defendants tried to cover their tracks by routing traffic through some 34 servers, located in nearly 20 countries, to obfuscate their true location; that they used encrypted communication channels within Equifax's network to blend in with normal network activity; and that they allegedly deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.

Each of the defendants is charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. They've also been charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.