“This was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans.”
On January 28, a grand jury indicted four members of China’s People’s Liberation Army for their involvement in the 2017 Equifax breach. The PLA officials were charged with computer fraud (both intentional damage and unauthorized access), economic espionage, three counts of wire fraud, and conspiracy to commit all three aforementioned charges.
On Monday, the Justice Department announced the nine-count indictment for the breach that affected 145 million Americans, as reported by Politico. Both the timeline of the attack and these new charges indicate a continued breakdown of an Obama-era truce regarding espionage-based hacks between the U.S. and China.
The charges — The indictment alleges that Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei exploited a vulnerability in the Apache Struts Web Framework of Equifax’s online dispute portal in order to gain login credentials. They ran “approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens,” according to the DOJ’s statement.
To cover their tracks and the mass exfiltration of data, traffic was routed through about 34 servers across almost 20 countries. Compressed files and log files were deleted on a daily basis. They also took advantage of encrypted communication channels within Equifax’s network to make their activity seem normal. The attack is estimated to have started on May 13, 2017, and it concluded around July 30, 2017.
What truce? — In 2014, the U.S. indicted several members of the PLA on hacking charges amid the Eric Snowden NSA leaks for good, pot-calling-the-kettle-black measure. The following year, then-President Barack Obama and Chinese President Xi Jinping announced a truce, particularly regarding the hotbed issue of corporate cybertheft.
The tense relationship between Trump’s administration and China has caused the truce to suffer, despite being re-upped. Though some of these hacks are dated prior to the detente, in recent years, the PLA and China’s Ministry of State Security have been linked to hacks of Mariott hotel databases, the Anthem health insurance company, and the U.S. Office of Personnel Management. Including the Equifax hack, these breaches have siphoned the information of hundreds of millions of people, mostly Americans.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” said Barr in the DOJ’s statement.
Equifax still could’ve done better — Let’s not forget that Equifax took its time notifying everyone about the breach for a little insider trading, left a known vulnerability unpatched, and one of its web portal username/password combinations was admin/admin. A statement from Equifax CEO Mark Begor obtained by TechCrunch’s Zack Whittaker celebrated having someone to blame for the company’s embarrassingly preventable breach without claiming any culpability for it.
“A company in the business of collecting and retaining massive amounts of Americans' sensitive personal information must act with the utmost care — and face any consequences that arise from that failure,” said Senator Mark Warner in a statement obtained by CNET’s Alfred Ng. Warner went on to reference legislation he and Senator Elizabeth Warren keep trying to get off the ground to enforce more stringent data broker accountability.