Justice indicts four Chinese hackers for 2017 Equifax breach

The charges are the latest example of U.S. law enforcement going after China for hacking American companies.

 

The Department of Justice announced criminal charges against four members of the Chinese military in connection with the 2017 hack of credit monitoring giant Equifax.

The nine-count indictment includes multiple violations of the Computer Fraud and Abuse Act, conspiracy to commit economic espionage, economic espionage, conspiracy to commit wire fraud and wire fraud. The four individuals -- Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – are all listed as members of the People's Liberation Army of China.

The hack -- which took advantage of an unpatched vulnerability in the Apache Struts web application framework used by Equifax -- ultimately resulted in the theft of names, birthdays and Social Security numbers for 145 million Americans, as well as driver's license information for another 10 million.

"This theft not only cost significant financial damage to Equifax, but invaded the privacy of many millions of Americans and impose substantial costs and burdens on them as they had to take measures to protect themselves from identity theft," Attorney General Bill Barr said at a press conference announcing the charges.

According to an indictment filed in the United States Northern District of Georgia, the defendants are accused of using the vulnerability to upload multiple web shells onto Equifax servers in May 2017, and obtaining credentials that allowed them further access to the company's networks. The quartet used encrypted communications and routed their internet traffic through 34 different servers located across 20 countries to mask their work, conducting over 9,000 searches for personally identifiable information before compressing and exfiltrating the data in smaller chunks to avoid detection.

David Bowdich, Deputy Director of the FBI, said the government began its investigation with about 40 IP addresses and "a handful of malicious software programs" as the only leads. From there, investigators used forensic data, including network logs and computer images, malware analysis and other techniques to begin peeling back the layers of anonymity and third-party infrastructure allegedly used by the PLA to cover their tracks.

"We've almost as a county become immune to these breaches," said Bowdich. "You get the notice in the mail or you hear about it in the news [and] think 'well there goes my credit card number, my Social Security number, my bank account information' and you sign up for another year of free credit card monitoring information. We cannot think like that in this country."

Barr and other officials characterized the incident as one of the largest state-sponsored hacks of personal information in history, placing it alongside the 2015 Office of Personnel Management breach, which resulted in the theft of more than 21.5 million current and former federal employees and the hack of the Marriott/Starwood hotel chain's reservation systems, where hundreds of millions of credit card numbers and passports were pilfered.

Equifax was heavily criticized for both the breach and its fallout. The vulnerability used to gain an initial foothold already had a patch available that the company never bothered to use. They also waited months before informing the public, with several officials selling millions of company stock in the interim.

"We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017," the company said in a statement. "It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government."

Senator Mark Warner (D-Va.) who has sponsored legislation that would impose stricter legal liability penalties on companies who fail to safeguard consumer data, said the indictment "does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax's systems and response to the hack."

"A company in the business of collecting and retaining massive amounts of Americans' sensitive personal information must act with the utmost care – and face any consequences that arise from that failure," said Warner in a statement.

Cybersecurity experts have long suspected that China or another country may have been behind the hack, as the Equifax data has never been found for sale on the dark web, an indication that the perpetrator was not seeking financial gain. U.S. officials said that while they are normally reluctant to charge members of a foreign government's military, incidents like the Equifax hack go far beyond the sort of narrow, targeted intelligence gathering that most countries are willing to accept.

Like other indictments filed against foreign government hackers, the four PLA members charged will likely not see the inside of a U.S. court room anytime soon, but DOJ argues that it can limit their ability to travel and do business internationally. Last year, Chinese Ministry of State Security operative Yanjun Xu was arrested while traveling through Belgium before being charged and extradited to the U.S. on charges of stealing trade secrets.

"We can't take them into custody, try them in a court of law and lock them up, not today anyway," Bowdich said. "But one day these criminals will slip up and when they do, we'll be there."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.