The charges are the latest example of U.S. law enforcement going after China for hacking American companies.
The Department of Justice announced criminal charges against four members of the Chinese military in connection with the 2017 hack of credit monitoring giant Equifax.
The nine-count indictment includes multiple violations of the Computer Fraud and Abuse Act, conspiracy to commit economic espionage, economic espionage, conspiracy to commit wire fraud and wire fraud. The four individuals -- Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – are all listed as members of the People's Liberation Army of China.
The hack -- which took advantage of an unpatched vulnerability in the Apache Struts web application framework used by Equifax -- ultimately resulted in the theft of names, birthdays and Social Security numbers for 145 million Americans, as well as driver's license information for another 10 million.
"This theft not only cost significant financial damage to Equifax, but invaded the privacy of many millions of Americans and impose substantial costs and burdens on them as they had to take measures to protect themselves from identity theft," Attorney General Bill Barr said at a press conference announcing the charges.
According to an indictment filed in the United States Northern District of Georgia, the defendants are accused of using the vulnerability to upload multiple web shells onto Equifax servers in May 2017, and obtaining credentials that allowed them further access to the company's networks. The quartet used encrypted communications and routed their internet traffic through 34 different servers located across 20 countries to mask their work, conducting over 9,000 searches for personally identifiable information before compressing and exfiltrating the data in smaller chunks to avoid detection.
David Bowdich, Deputy Director of the FBI, said the government began its investigation with about 40 IP addresses and "a handful of malicious software programs" as the only leads. From there, investigators used forensic data, including network logs and computer images, malware analysis and other techniques to begin peeling back the layers of anonymity and third-party infrastructure allegedly used by the PLA to cover their tracks.
"We've almost as a county become immune to these breaches," said Bowdich. "You get the notice in the mail or you hear about it in the news [and] think 'well there goes my credit card number, my Social Security number, my bank account information' and you sign up for another year of free credit card monitoring information. We cannot think like that in this country."
Barr and other officials characterized the incident as one of the largest state-sponsored hacks of personal information in history, placing it alongside the 2015 Office of Personnel Management breach, which resulted in the theft of more than 21.5 million current and former federal employees and the hack of the Marriott/Starwood hotel chain's reservation systems, where hundreds of millions of credit card numbers and passports were pilfered.
Equifax was heavily criticized for both the breach and its fallout. The vulnerability used to gain an initial foothold already had a patch available that the company never bothered to use. They also waited months before informing the public, with several officials selling millions of company stock in the interim.
"We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017," the company said in a statement. "It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government."
Senator Mark Warner (D-Va.) who has sponsored legislation that would impose stricter legal liability penalties on companies who fail to safeguard consumer data, said the indictment "does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax's systems and response to the hack."
"A company in the business of collecting and retaining massive amounts of Americans' sensitive personal information must act with the utmost care – and face any consequences that arise from that failure," said Warner in a statement.
Cybersecurity experts have long suspected that China or another country may have been behind the hack, as the Equifax data has never been found for sale on the dark web, an indication that the perpetrator was not seeking financial gain. U.S. officials said that while they are normally reluctant to charge members of a foreign government's military, incidents like the Equifax hack go far beyond the sort of narrow, targeted intelligence gathering that most countries are willing to accept.
Like other indictments filed against foreign government hackers, the four PLA members charged will likely not see the inside of a U.S. court room anytime soon, but DOJ argues that it can limit their ability to travel and do business internationally. Last year, Chinese Ministry of State Security operative Yanjun Xu was arrested while traveling through Belgium before being charged and extradited to the U.S. on charges of stealing trade secrets.
"We can't take them into custody, try them in a court of law and lock them up, not today anyway," Bowdich said. "But one day these criminals will slip up and when they do, we'll be there."