The United States government has officially charged four members of China’s People’s Liberation Army (PLA) with hacking into credit reporting agency Equifax and being responsible for the massive data breach that exposed highly sensitive information on more than 145 million Americans.
According to the Department of Justice, a federal grand jury in Atlanta returned a nine-count indictment last week alleging that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊), were members of the PLA’s 54th Research Institute, a component of the Chinese military, and are responsible for the hack.
The indictment also accused the group of stealing corporate intellectual property (IP) from Equifax.
“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William P. Barr, who made the announcement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”
As previously known, the indictment affirmed that the hackers exploited a vulnerability (CVE-2017-5638) in the Apache Struts Web 2 software used by Equifax’s online dispute portal to gain access to the sensitive data.
“The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system,” the Justice Department said. “Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.”
The indictment also charges the defendants with stealing Equifax’s data compilations and database designs.
In an attempt to cover their tracks, the attackers allegedly routed traffic through approximately 34 servers located in nearly 20 countries and used encrypted network traffic within Equifax’s network to blend in with normal network activity. They are also said to have deleted compressed files and wiped log files daily in an effort to eliminate records of their activity.
State sponsored hackers from China have also been suspected of being responsible for the massive Marriott data breach announced in 2018 that affected as many as 500 million individuals, and has also been the main suspect in the massive breach disclosed by the U.S. Office of Personnel Management (OPM) in 2015 that exposed millions of U.S. Government workers.