U.S. Indicts Chinese Military Officers in Equifax Breach
The U.S. Department of Justice has charged four Chinese military officers in the 2017 hacking attack on Equifax, one of the country's three major credit bureaus. This attack compromised the personal information of about 145 million Americans, or nearly half of all adults in the country.
After a two year investigation, the Department of Justice charged Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei with nine counts, including computer fraud conspiracy, unauthorized access, wire fraud and intentional damage.
The Department of Justice's indictment said the quartet were able to gain access to Equifax's system through Equifax's online dispute portal. This portal utilized an open-source software product called Apache Struts Web Framework.
According to the indictment, Apache announced a vulnerability in the software in March 2017, which led the United States Computer Emergency Readiness Team to issue a threat warning notice. However, Equifax's online dispute portal wasn't updated.
The defendants were able to use that vulnerability to gain access to Equifax's systems. The hacking began at some point in May, and it lasted into July. During the attacks, the group found a repository of personal information, including names, addresses, social security numbers and birth dates, then they ran thousands of queries on this repository to extract information.
In an effort to cover their tracks, the defendants routed the information through 34 servers in about 20 countries, but investigators were able to uncover that two China-based IP addresses connecting directly to the Equifax network were responsible for these queries.
Along with stealing personal information of ordinary citizens, the group also allegedly stole trade secrets from Equifax.
"In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military," said U.S. Attorney General William Barr in a statement.
In a news release from the F.B.I., Barr also said the Justice Department believes that the Chinese government is behind other major incidents of corporate data theft, including systems at the Office of Personnel Management, Marriott hotels and Anthem insurance.
"This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence-targeting packages," Barr said.
While data breaches have seemingly become commonplace, F.B.I. Deputy Director David Bowdich said in a statement that American businesses have to remember to be vigilant about protecting personal information—but citizens also have to do their part. "And as American citizens, we cannot be complacent about protecting our sensitive personal data," Bowdich said. "We in law enforcement will not let hackers off the hook just because they’re halfway around the world. We’ve got to do everything we can to keep people safe, secure, and confident online."
U.S. Senator Mark Warner, vice chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, released a statement expressing that he was glad that the indictment occurred.
"That said, the indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack. A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure," said Warner.
Attorney General Barr noted in his announcement of the indictment that it's not typical for the government to charge other countries' military or intelligence services outside of the U.S.; however, the department found exception to the rule due to the amount of American civilian data stolen.