Chinese officials and state media on Tuesday condemned the U.S. Justice Department on Tuesday for indicting four People’s Liberation Army (PLA) military officers for the massive hacking attack on the Equifax credit reporting agency, a 2017 cybercrime that pilfered valuable corporate data and personal information about over 147 million Americans.
The four individuals named in the indictment – Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – are all members of a Chinese military cyber-espionage unit called the “54th Research Institute.”
According to the FBI, the group’s attack on Equifax allowed the PLA to obtain “sensitive identifying information for nearly half of all American citizens, and personally identifiable information belonging to nearly a million citizens of the United Kingdom and Canada.”
U.S. Attorney General William Barr on Monday described the hack as a “deliberate and sweeping intrusion into the private information of the American people.”
“Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” he said.
The Chinese foreign affairs ministry on Tuesday responded with its standard denial: “The Chinese government, military, and relevant personnel never engage in cyber theft of trade secrets.”
“From the case of WikiLeaks to Edward Snowden, the U.S. hypocrisy and double standards on cybersecurity have been fully revealed,” said Foreign Ministry spokesman Geng Shuang, attempting to distract from the charges against the PLA officers by accusing the United States of doing all the hacking.
“China is also a victim to this. We have lodged stern representations to the U.S. and asked it for an explanation and to immediately stop such activities,” he said.
China’s state-run Global Times on Tuesday followed the same playbook, accusing the U.S. of fabricating the charges against the PLA officers to distract from its own cyber-espionage activities while risibly portraying China as a “staunch defender of cybersecurity.”
Naturally one of China’s numerous bureaucracies furnished a report “proving” that poor innocent Beijing is the target of relentless U.S. cyberattacks:
A report published in June 2019 says that the most cyberattacks against Chinese networks in 2018 came from the US. The information came from an annual report released by China’s National Computer Network Emergency Response Technical Team (CNCERT).
The CNCERT said that in 2018, 14,000 servers in the US infected by a Trojan virus, or botnet, controlled 3.34 million host computers in China, and the number of servers increased by 90.8 percent year-on-year. In 2018, 3,325 US IP addresses with the Trojan virus infected 3,607 Chinese websites, an increase of 43 percent compared with 2017, CNCERT said.
In addition, US penetration of critical information infrastructure in other countries and regions has been unceasing. In June 2019, China’s “Network Security National Team” Antiy Labs released a review of an incident in which the NSA’s “Formula” organization attacked the largest SWIFT financial service provider EastNets in the Middle East, which proved that the “Formula” organization used a national-level network weapon to penetrate and control a business organization network such as SWIFT, layer by layer, in order to gain long-term control and achieve the purpose of having continuous access to its information.
German magazine Der Spiegel Weekly also disclosed that in 2007, the NSA launched an intelligence-gathering project targeting Huawei. NSA successfully entered Huawei’s intranet and obtained a large amount of internal private information, emails, and source codes. Documents revealed by whistleblower Edward Snowden further confirmed the NSA’s cyberattack on Huawei.
The Global Times concluded by suggesting the U.S. government is trying to panic the world into distrusting China, an increasingly common theme in Chinese propaganda as the Wuhan virus rages and Chinese hacking scandals pile up.
Voice of America News (VOA) recalled just how huge those Chinese hacking scandals have been:
Beginning in 2013, hackers working for the Chinese government stole millions of highly sensitive personnel files from the U.S. Office of Personnel Management, the agency that manages the federal government’s civilian workforce.
In 2015, two Chinese hackers broke into the computer systems of U.S. health insurer Anthem, stealing the personal data of at least 78 million Americans. The two hackers were indicted in 2019.
In 2018, American hotel chain Marriott International revealed that hackers had stolen personal details of nearly 500 million guests at its Starwood reservation system beginning four years earlier. The breach was attributed to Chinese hackers.
VOA noted the FBI currently has about a thousand open investigations into suspected Chinese thefts of U.S. intellectual property, ranging from the defense industry to “cutting-edge research at our universities,” as FBI Director Christopher Wray warned.
Wired offered a breakdown of the Equifax caper on Monday, noting that since not a scrap of the gigantic trove of valuable pillaged data ever appeared for sale on the dark web, a “state actor” was almost certainly involved.
The attack was professionally executed after extensive digital reconnaissance of the Equifax system, which became vulnerable after ignoring warnings of a critical security flaw in the software it used for its dispute resolution system.
This flaw allowed the hackers to slip in through the cyberspace equivalent of an open ground-floor window and run thousands of database queries, package the results in small files that could be carefully smuggled out without alerting network security, and retrieve the data using Equifax’s own encrypted communications. A network of 34 servers located in 20 different countries was involved in the raid, which went on for months.
These were all signs of a sophisticated state-sponsored operation, but Wired blamed Equifax for making the job too easy:
It should have patched that initial Apache Struts vulnerability, for starters. And an FTC complaint from last summer also found that the company stored administrative credentials in an unsecured file in plaintext. It kept 145 million Social Security numbers and other consumer data in plaintext as well, rather than encrypting them. It failed to segment the databases, which would have limited the fallout. It lacked appropriate file integrity monitoring and used long-expired security certificates. The list goes on. Equifax didn’t just let the alleged Chinese hackers into the vault; it left the skeleton key for every safe deposit box in plain sight.
“There’s a lot of interesting, mind-bending stuff here – like that it only took four people to gather the private information of half of the United States population,” former National Security Agency analyst Dave Aitel remarked to Wired.
Security analysts described DOJ pinning the Equifax attack on the PLA as a deliberately provocative move, since it is unlikely any of the four defendants will ever see the inside of a U.S. courtroom, and China has a history of retaliating for perceived insults.
There are also troubling questions about exactly what the Chinese plan to do with the massive trove of personal data they stole. They have not tried selling it, and there are no signs of them giving it away to outside hacking groups so they can cause general mischief. Some analysts think they could be sifting through the data for information that might be useful for political blackmail, or to assist with further hacking attacks, while others think the files could be fed into China’s data-hungry artificial intelligence research projects.