Chinese Military Hackers Charged Over Equifax Data Breach

The United States government has officially charged four members of China’s People’s Liberation Army (PLA) with hacking into credit reporting agency Equifax and being responsible for the massive data breach that exposed highly sensitive information on more than 145 million Americans.

According to the Department of Justice, a federal grand jury in Atlanta returned a nine-count indictment last week alleging that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, were members of the PLA’s 54th Research Institute, a component of the Chinese military, and are responsible for the hack.  

The indictment also accused the group of stealing corporate intellectual property (IP) from Equifax.

“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William P. Barr, who made the announcement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

As previously known, the indictment affirmed that the hackers exploited a vulnerability (CVE-2017-5638) in the Apache Struts Web 2 software used by Equifax’s online dispute portal to gain access to the sensitive data.

“The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system,” the Justice Department said. “Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.”

The indictment also charges the defendants with stealing Equifax’s data compilations and database designs. 

In an attempt to cover their tracks, the attackers allegedly routed traffic through approximately 34 servers located in nearly 20 countries and used encrypted network traffic within Equifax’s network to blend in with normal network activity. They are also said to have deleted compressed files and wiped log files daily in an effort to eliminate records of their activity.

According to a 2018 report from the U.S. Government Accountability Office (GAO), it took Equifax 76 days to detect the data breach.

“We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017,” Equifax CEO Mark W. Begor said in a statement. “It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government. The attack on Equifax was an attack on U.S. consumers as well as the United States.”

State sponsored hackers from China have also been suspected of being responsible for the massive Marriott data breach announced in 2018 that affected as many as 500 million individuals, and has also been the main suspect in the massive breach disclosed by the U.S. Office of Personnel Management (OPM) in 2015 that exposed millions of U.S. Government workers. In May 2019, the U.S. announced charges against Chinese hackers in conjunction with the 2015 data breach that impacted health insurer Anthem. 

Related: Equifax Ordered to Spend $1B on Data Security Under Data Breach Settlement