July 10th – A fourth China-based IP address logged into the Taiwan server and copied malicious file abc.txt there. A fifth China-based IP address used a malicious web shell previously installed on Equifax’s system to download abc.txt from the Taiwan server. China server five was then used to upload a substantively identical web shell to Equifax’s network.
Mid July – The Swiss server was used to connect to Equifax’s network and create an archive containing 49 directories. This was split into 600-megabyte segments and downloaded from the Equifax network to a Dutch server via HTTP commands.
Mid July – A sixth Chinese server used a malicious web shell to query an Equifax data table and store results in output files. Using the same Chinese server, this was then compressed to an archive file and downloaded. A web shell was then used to delete the archive from Equifax’s network to obscure the theft.
Late July – The second Chinese server was used to access a malicious web shell on the Equifax server to allow an attacker (named in the indictment as Wang) to issue unauthorized SQL commands on an Equifax back-end database.
Late July – A Singapore-based IP address used the same malicious web shell to run additional queries.
Late July – The Singaporean server was used to access the malicious web shell on Equifax’s server.
Up until July 30th – PII repeatedly stolen from the Equifax back-end databases.
In a press conference Attorney General William Barr explained why the Chinese government might target Equifax: “For years we have witnessed China’s voracious appetite for the personal data of Americans. This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”
The Equifax prosecution is evidence of ongoing tension in the cyber space between America and China, and America’s increasingly aggressive stance on Chinese espionage operations targeting its citizens.
On Monday 10th February 2020, the US charged four Chinese nationals – Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – with carrying out the attack. The indictment identifies them as members of the People’s Liberation Army’s 54th Research Institute, part of China’s military. There are nine charges against them, including wire fraud, conspiracy to commit computer fraud, and economic espionage. On 13th February 2020 the Chinese Ministry of Defense released a statement about the allegations against its members, strongly denying any involvement in the hacking of Equifax.