The U.S. Department of Justice has charged four members of the Chinese People's Liberation Army with nine criminal counts, accusing them of orchestrating and carrying out the 2017 hack of credit reporting agency Equifax.
An indictment returned by a federal grand jury in Atlanta and unveiled today by the DOJ alleges that Beijing residents Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei committed cyber espionage against Equifax, stealing the personally identifying information of roughly 145 million Americans – close to half the U.S. population – as members of the PLA's 54th Research Institute.
According to the indictment, from mid-May through July 2017, the four defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute resolution portal. A fix for this flaw was available the previous March but was not applied in time by Equifax.
Allegedly, after penetrating the network, the four defendants deployed web shells, performed reconnaissance of the portal, obtained login credentials, and ran roughly 9,000 queries – in the processing obtaining American citizens' PII, including names, birth dates, social security numbers and in some cases and driver’s license numbers. They also allegedly accessed Equifax’s trade secrets, including data compilations and schemas that it uses to conduct its business services.
"Those trade secrets were the product of decades of investment and hard work by the company," said Attorney General William Barr in official public remarks today.
The four men allegedly moved the illegally accessed information into temporary output files, then compressed and divided the files, and ultimately exfiltrated them.
"This was a deliberate and sweeping intrusion into the private information of the American people," also said Barr, in a press release. "Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet's cloak of anonymity and find the hackers that nation repeatedly deploys against us."
China has developed a long-standing reputation for conducting cyber espionage operations to steal Western nations' intellectual property, despite a 2015 Sino-U.S. pact designed to eliminate such behavior.
"Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets and other confidential information," Barr continued. "Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret theft cases in recent years involved some connection to China."
"For years, we have witnessed China’s voracious appetite for the personal data of Americans," Barr continued, "including the theft of personnel records from the U.S. Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax. This data has economic value, and these thefts can feed China's development of artificial intelligence tools as well as the creation of intelligence targeting packages."
To evade detection, the actors hid their location by routing traffic through about 34 servers in nearly 20 countries, the DOJ release alleges. They also allegedly "used encrypted communication channels within Equifax's network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity," the release continues.
The four defendants have been charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit economic espionage, one count of conspiracy to commit wire fraud, two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
Equifax in July 2019 settled with the Federal Trade Commission, agreeing to pay an approximately $700 million settlement as compensation for the breach. And in January, a federal judge in Georgia awarded plaintiffs $380.5 million in a class-action lawsuit against Equifax.
"I'm glad the DOJ has moved to formally indict the Chinese intelligence officers associated with the hack of Equifax," said Sen. Mark Warner, D-Virg., in an official comment. "That said, the indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax's systems and response to the hack. A company in the business of collecting and retaining massive amounts of Americans' sensitive personal information must act with the utmost care – and face any consequences that arise from that failure."
"The U.S. government is showing that despite the best efforts of the attackers, we are able to trace those attacks back to the source and provide specific attribution of the attack," said Chris Morales, head of security analytics at Vectra. "This is even though the attackers leveraged multiple tricks to obfuscate their presence, including encrypted hidden tunnels to multiple destinations in nearly 20 countries."
"It is commendable that the government intervenes in our interests in these large prolific attacks. It is important to collaborate at a private-public level," Morales continued. "Unfortunately for everything else, in particular with smaller organizations, the level of effort to attribute and prosecute for an attack is not feasible."