Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Military Hackers Charged Over Equifax Data Breach

The United States government has officially charged four members of China’s People’s Liberation Army (PLA) with hacking into credit reporting agency Equifax and being responsible for the massive data breach that exposed highly sensitive information on more than 145 million Americans.

The United States government has officially charged four members of China’s People’s Liberation Army (PLA) with hacking into credit reporting agency Equifax and being responsible for the massive data breach that exposed highly sensitive information on more than 145 million Americans.

According to the Department of Justice, a federal grand jury in Atlanta returned a nine-count indictment last week alleging that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, were members of the PLA’s 54th Research Institute, a component of the Chinese military, and are responsible for the hack.  

The indictment also accused the group of stealing corporate intellectual property (IP) from Equifax.

“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William P. Barr, who made the announcement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

As previously known, the indictment affirmed that the hackers exploited a vulnerability (CVE-2017-5638) in the Apache Struts Web 2 software used by Equifax’s online dispute portal to gain access to the sensitive data.

“The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system,” the Justice Department said. “Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.”

The indictment also charges the defendants with stealing Equifax’s data compilations and database designs. 

In an attempt to cover their tracks, the attackers allegedly routed traffic through approximately 34 servers located in nearly 20 countries and used encrypted network traffic within Equifax’s network to blend in with normal network activity. They are also said to have deleted compressed files and wiped log files daily in an effort to eliminate records of their activity.

According to a 2018 report from the U.S. Government Accountability Office (GAO), it took Equifax 76 days to detect the data breach.

“We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017,” Equifax CEO Mark W. Begor said in a statement. “It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government. The attack on Equifax was an attack on U.S. consumers as well as the United States.”

State sponsored hackers from China have also been suspected of being responsible for the massive Marriott data breach announced in 2018 that affected as many as 500 million individuals, and has also been the main suspect in the massive breach disclosed by the U.S. Office of Personnel Management (OPM) in 2015 that exposed millions of U.S. Government workers. In May 2019, the U.S. announced charges against Chinese hackers in conjunction with the 2015 data breach that impacted health insurer Anthem. 

RelatedEquifax Ordered to Spend $1B on Data Security Under Data Breach Settlement

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.