4 in Chinese Army Charged With Breaching EquifaxJustice Department Unveils Indictments Against Members of China's PLA
(This story has been updated.)
Four members of China's People's Liberation Army have been indicted for allegedly hacking Equifax in 2017 and stealing the personal data of over 145 million Americans as well as a vast trove of the company's trade secrets and intellectual property, the U.S. Justice Department announced Monday.
U.S. Attorney General William Barr called the Justice Department’s investigation of the Equifax data breach one of the largest and most complex criminal investigations ever undertaken. The case is also one of the largest thefts of intellectual property by cyber spies associated with China, he added.
"This was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military," Barr said.
The nine-count indictment charges the four members of the People's Liberation Army with three counts each of conspiracy to commit computer fraud, conspiracy to commit economic espionage, conspiracy to commit wire fraud and wire fraud.
All four alleged hackers are also charged with two counts each of unauthorized access and intentional damage to a protected computer as well as one count of economic espionage, according to the indictment.
The four alleged hackers, Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, are members of the People's Liberation Army's 54th Research Institute, according to the Justice Department.
It’s unlikely that the four will ever be arrested and face trial in the U.S. because China will not extradite them.
Going After State-Sponsored Actors
In his remarks, Barr said the Justice Department typically doesn’t investigate and criminally charge members of other country's military or intelligence services, but in cases where intellectual property and citizens' private data is exposed, federal prosecutors are willing to step in.
"We have charged state-sponsored actors for computer intrusions into the United States for the purpose of intellectual property theft for the use of their private sector, bank robbery and interfering with our democratic elections," Barr said. "Like those cases, the deliberate, indiscriminate theft of vast amounts of sensitive personal data of civilians, as occurred here, cannot be countenanced."
But these types of indictments will not likely have much of an impact on China’s efforts to steal data and intellectual property, says Jake Williams, a former operator with the National Security Agency's Tailored Access Operations unit and founder of Rendition Infosec, a security consultancy in Atlanta.
"In short, this indictment has no teeth. Unlike U.S. operators, Chinese operators [government hackers] lack the choice to say, 'No, I don't want to hack for you'," Williams tells Information Security Media Group. "So it's not like this is going to hurt recruiting in China. What charges like this will eventually do is cause other nations to charge U.S. operators by name - and that will absolutely hurt [U.S.] recruiting."
Ongoing Concerns Over Equifax
The 2017 Equifax breach exposed the personal information of over 145 million U.S. consumers as well as 15.2 million records related to U.K. residents and data on 8,000 Canadians. At the heart of the breach was Equifax's failure to patch a vulnerability in the Apache Struts open source web application framework, according to numerous investigations into the incident by the U.S. government, lawmakers and others.
By taking advantage of that vulnerability, the attackers found their way into the network, had access to the infrastructure for over 70 days and stole data and intellectual property, authorities say.
In April 2019, a Congressional report found that some of the malicious traffic associated with the breach came from an IP address in China, but Monday's indictments are the first time that U.S. law enforcement has directly tied the breach to the Chinese government (see: Congressional Report Rips Equifax for Weak Security).
Over the years, Atlanta-based Equifax has been criticized by Congressional investigators and security experts for its lack of internal security and its failure to promptly patch the Apache Struts vulnerability.
In January, a federal judge in Atlanta gave final approval to a $1.38 billion settlement that resolved a class action lawsuit against Equifax.
A spokesperson for Equifax could not be reached for comment on Monday. But Jamil Farshchi, the company's CISO, posted on LinkedIn that the credit rating agency continues to update its security policies.
"Equifax has been transforming our security program - embedding security into our DNA by driving cultural change, implementing advanced controls tailored to the specific threats we face, [and] achieving relevant certifications," Farshchi notes.
Scale of Theft
The Justice Department says the personally identifiable information that was stolen in the 2017 breach included names, birth dates and Social Security numbers of over 145 million Americans, and the driver’s license numbers of at least 10 million Americans, according to the Justice Department.
In addition, the credit card numbers of at least 200,000 U.S. citizens were stolen, according to the indictment.
The goal of the hackers, however, was not to sell this data on underground sites but to create a database of information that the Chinese government could use to map the lives of U.S. citizens who are of interest to the country, says Tom Kellermann, the head of cybersecurity strategy at VMware who formerly served on the Commission on Cyber Security for the 44th President.
"The attack against Equifax was for intelligence gathering purposes, to understand which Americans are susceptible to bribery and where significant Americans lay their heads,” Kellermann tells ISMG. “It illustrates the evolution of tradecraft in cyberspace."
While many of the security issues at Equifax in 2017 have been discussed in lawsuits, investigations and news media reports, the new indictments offer some additional details of what happened staring in May of that year.
After exploiting the vulnerability in Apache Struts, the hackers allegedly gained access to Equifax's online dispute portal in order to gain a foothold within the corporate network and steal more credentials, according to the indictment.
After that, the four hackers spent several weeks mapping the network and running queries to understand what databases they could access and which ones held the personal data and intellectual property they were seeking, the indictment says. The hackers ran about 9,000 queries within the network over the course of several months, it adds.
"Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States," prosecutors say.
To help conceal their presence for over 70 days, the hackers routed their own network traffic through 34 servers in 20 counties and also used encrypted channels within Equifax's own network to "blend in" with normal network traffic, according to the indictment. On a daily basis, the hackers allegedly wiped log and other files to hide their activities, according to the indictment.
U.S. and China
Last week, Barr said in a speech that the Justice Department was preparing to become more aggressive in fighting China’s use of hackers to steal data, company secrets and intellectual property.
"Those actions by China are continuing, and you should expect more indictments and prosecutions in the future," Barr said Thursday during at event sponsored by the Center for Strategic and International Studies (see: Barr: US Should Invest in Nokia, Ericsson).
On Monday, Barr noted that other indictments have served as way to bring attention to other activities tied to China, including the hacking of the U.S. Office of Personnel Management, the intrusion into Marriott hotels and attacks that targeted health insurer Anthem.
The attorney general also called attention to a hacking group known at APT10, which is associated with China's Ministry of State Security and has targeted numerous organizations, including managed service providers (see: Report: Cloud Hopper Attacks Affected More MSPs).
Altogether, Barr estimates that about 80 percent of the Justice Department's economic espionage prosecutions and approximately 60 percent of all trade secret theft cases in recent years involved some connection to China.
Chris Pierson, CEO of the cybersecurity company BlackCloak, tells ISMG: "This indictment sheds light on the fact that the Chinese government has failed to live up to its obligations to leave softer consumer based targets alone. Instead, it demonstrates a dedicated attack on nearly half the U.S. population, so that other targeted attacks might be launched. … In recent years, the U.S. has not shown a willingness to respond to these civilian attacks, but it could cause increased tensions in trade negotiations and ongoing relations."