Washington (February 11, 2020) – The U.S. Department of Justice and the FBI charged four Chinese military hackers in connection with the massive Equifax breach of 2017. As a result of a two-year investigation, U.S. authorities explain how the Chinese military officers were able to hack into the computer systems of the credit reporting agency, stealing sensitive personal data as well as Equifax’s trade secrets and additionally how they covered up their tracks.
The U.S. Department of Justice (DOJ) laid charges against the Chinese military officers Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei – all members of China’s People’s Liberation Army’s (PLA) 54th research institute. The indictment accused the Chinese military hackers of being responsible for the massive Equifax data breach in 2017. Supposedly, the accused hacked into the computer system of the credit rating giant and stole sensitive personal data of millions of Americans, Canadians, and others as well as Equifax’s trade secrets. On February 10, the Chinese military hackers have been charged with computer fraud, economic espionage, and wire fraud, according to a press release.
How they hacked Equifax: A Three-month-long campaign
The DOJ believes that the four Chinese officers engaged in a three-month-long campaign in order to steal data stored in the company’s database. They allegedly ran in total approximately 9,000 queries on the agency’s computer system to identify their database structure. To break into Equifax’s network, the hackers exploited a software vulnerability in the company’s dispute resolution website and obtained login credentials to further navigate through the network.
According to the DOJ, ‘[o]nce they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States.’
Two-year investigation into the work of the hackers
The indictment alleges that they routed traffic through approximately 34 servers located in nearly 20 countries to cover up their true location. Furthermore, they used encrypted communication channels within the Equifax network to blend in with normal network activity. Additionally, in order to eliminate records of their activity, they supposedly deleted compressed files and wiped log files on a daily basis.
‘It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves,’ said Equifax CEO Mark W. Begor in a press release and explained his gratitude for the two-year investigation into the data breach.
Attorney General Barr, who made the announcement added, ‘[t]oday, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.’
Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei face charges of computer fraud, economic espionage, and wire fraud for their role in one of the largest thefts of personally identifiable information by state-sponsored hackers ever recorded. https://t.co/KcZ8lOfpbd pic.twitter.com/65vDyh4HTx— FBI (@FBI) February 10, 2020
The indictment against the four Chinese military officers is not the first time that members of the PLA were charged for hacking U.S. companies. ‘Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.’
The allegations have not been proven in court. The whereabouts of the suspects are unknown and it is highly unlikely that they will stand trial in the US.
The 2017 Equifax data breach
Over two years ago Equifax was the victim of a massive data breach. The credit reporting agency with headquarters in Atlanta maintains an immense repository of consumer information that it sells to businesses looking to verify identities or assess creditworthiness. Hence, Equifax is in possession of more than 820 million consumer data as well as information on 91 million businesses.
According to Attorney General Barr, the attack on Equifax is ‘one of the largest data breaches in history.’ The sensitive information of nearly 150 million Americans, as well as about 20,000 Canadians, had been stolen from the credit reporting company in July 2017. The stolen data included names, birth dates, social security numbers, and driver’s license numbers.
In the aftermath, Equifax was heavily criticized resulting in the dismissal of their then CEO. The privacy breach drew attention to how private companies accumulate personal information about their customers without effective data protection. Additionally, the consequences for Equifax contained the largest-ever settlement for a data breach. The civil settlement reached in the U.S. last year encompasses payments of US$700 million.