The Department of Justice has pressed charges against four Chinese hackers for hijacking the computer system of Equifax, a credit-reporting company. The hackers were members of China’s military, the Chinese People’s Liberation Army. The hackers gained access to personal information of roughly half of the American population, about 150 million Americans, and the company’s intellectual property. The nine-count indictment concludes two years of investigation; the group hacked Equifax in 2017. The alleged hackers are Wang Qian, Wu Zhiyong, Xu Ke, and Liu Lei; they have been accused of wire fraud.
The DOJ stated that this is one of the largest breaches of data in history. The hackers have “obtained the names, birth dates, and social security numbers of nearly 150 million Americans, and the driver’s license numbers of at least 10 million Americans.”
The hackers used a vulnerability in Equifax’s Apache Struts Web Framework software used for the company’s dispute resolution website, which allowed the hackers to obtain access to the company’s network. “Once in the network, the hackers spent weeks conducting reconnaissance, uploading malicious software, and stealing login credentials, all to set the stage to steal vast amounts of data from Equifax’s systems.” Additionally, the hackers gained access to trade secrets and the company’s intellectual property to store user data, which is claimed to have taken decades to and create.
According to the DOJ, this is exemplary in a pattern of hacks sponsored by China. The DOJ stated, “[o]ur cases reveal a pattern of state-sponsored computer intrusions and thefts by China targeting trade secrets and confidential business information.” Prior hacks include the U.S. Office of Personnel Management, Marriott Hotels, and Anthem health insurance. China seems to focus on hacking entities with sensitive personal data that also provide trade secrets and confidential business information. The DOJ noted that “about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret theft cases in recent years involved some connection to China.” The Department stated that it does not ordinarily press criminal charges against foreign military or intelligence workers, however, this instance is an exception because of the quantity of sensitive personal data that was stolen. The DOJ specified that the hackers’ actions have harmed ordinary people, further incentivizing the Department to take action against the hackers. This is the second time that the U.S. will press charges against members of China’s army for hacking, the other instance was in 2014.
“This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William P. Barr, said. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”
The hackers took measures to remain anonymous and to avoid being detected. For example, “[t]hey routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.” They also spent approximately three months conducting this work, including running 9,000 queries on its system to understand the network’s structure and search for content of interest to obtain valuable information. They were able to download, compress and export the information to servers and computers outside of the United States.
The Chinese hackers have been charged with “three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. The defendants are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.”
The U.S. Attorney’s Office for the Northern District of Georgia, the DOJ’s Criminal and National Security Divisions and the FBI’s Atlanta Field Office investigated this case, with help from the FBI’s Cyber Division.