The US has charged the Chinese military with plundering Equifax in 2017.
The Justice Department (DOJ) on Monday released a nine-count indictment that accused four members of the People’s Liberation Army (PLA) of being hackers behind the breach, which was one of the largest in US history.
The breach exposed millions of names and dates of birth, taxpayer ID numbers, physical addresses, and other personal information that could lead to identity theft and fraud. Besides the original estimate of 145.5 million Americans who were affected, the breach also hit 15.2 million Brits and some 100,000 Canadians.
The indictment charged the four with a three-month campaign during which they allegedly hacked into computers of the credit-reporting agency and siphoned off the sensitive financial data and other personally identifiable information (PII) from all those people.
The accused are Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei: all members of the PLA’s 54th Research Institute, which is part of the Chinese military.
How they allegedly pulled it off
According to the indictment, the four allegedly pried open Equifax by exploiting a vulnerability in the Apache Struts Web Framework software used by the credit reporting agency’s online dispute portal.
We already knew it was done via a web app vulnerability and that it was a months-old Struts vulnerability: specifically, a nasty server-side remote code execution (RCE) bug made known to the public in March 2017.
The indictment says that the Chinese military staffers used that access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further poke around in Equifax’s network.
The defendants allegedly spent weeks running queries to identify Equifax’s database structure and searching for sensitive PII within its system. Once they found files that they could exploit, they allegedly stored the stolen information in temporary output files, compressed and divided the files, and were ultimately able to download and exfiltrate the data from Equifax’s network to computers outside the US, the indictment charges.
Make that a whole lot of queries against Equifax’s system: the alleged attackers ran about 9,000 queries, which returned names, birth dates and taxpayer IDs for nearly half of all American citizens.
The indictment also charges the defendants with stealing trade secret information, namely Equifax’s data compilations and database designs.
Attorney General William P. Barr, who announced the indictments, called it “a deliberate and sweeping intrusion into the private information of the American people.”
In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military.
Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.
The indictment says that the defendants tried to cover their tracks by routing traffic through some 34 servers, located in nearly 20 countries, to obfuscate their true location; that they used encrypted communication channels within Equifax’s network to blend in with normal network activity; and that they allegedly deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.
Each of the defendants is charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. They’ve also been charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
In July 2019, the Federal Trade Commission (FTC) announced that Equifax had agreed to pay $675 million – up to possibly $700 million – as part of a settlement for failing to secure the huge amount of personal information stored on its network.
The settlement included $300 million paid into a fund for credit monitoring services, for compensation to those who forked over money to Equifax to buy credit or identity monitoring services or who had other out-of-pocket expenses as a result of the breach.
Starting this year, it will also provide affected US consumers with six free credit reports per year for seven years (on top of the one free one they get every year from Equifax and the two other credit reporting agencies, Experian and TransUnion).
Finally, Equifax agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the Consumer Financial Protection Bureau (CFPB) in civil penalties.
In August 2019, the FTC said that affected consumers would be eligible for a $125 cash payout, or more, as part of its settlement with Equifax. A week later, the FTC was rapidly blinking its eyes at how many people were actually interested in receiving payback. Well, that’s “unexpected,” it said, and, well, “overwhelming.”
How about instead of cash, you take the free-credit-reporting offer instead? the FTC suggested. Because of the “high interest in the alternative cash payment under the settlement,” consumers who expect to take the FTC up on the offer might end up getting “far less than $125.”
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.