DoJ Blames China’s People’s Liberation Army

Equifax’s “antiquated” IT systems made the hack easy…

The United States Department of Justice (DoJ) has indicted four members of China’s People’s Liberation Army (PLA) for the 2017 date hacking of credit reporting agency Equifax — an incident which led to the exposure of personal data belonging to 143 million people, including 15.2 million in the UK.

The nine-count indictment names Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei as members of the PLA’s 54 Research Institute, a component of the Chinese military. It says they conducted an “organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company.”

Equifax Hack a “Sweeping Intrusion”

“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William Barr.

““Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

The four exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network.

To evade detection, they allegedly routed traffic through “approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity” the DoJ said.

Earlier reports suggest their task may not have been particularly challenging. A late-2018 report by the US House of Representatives’ Oversight Committee noted that “Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate” (one of 300 left to expire).

That report added: “Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging.”

The defendants are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. The defendants are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.

The investigation was conducted jointly by the U.S. Attorney’s Office for the Northern District of Georgia, the Criminal and National Security Divisions of the Department of Justice, and the FBI’s Atlanta Field Office. The FBI’s Cyber Division also provided support. Equifax cooperated fully and provided valuable assistance in the investigation.

See also: Damning Report on Equifax Security Failures is a Lesson for all Enterprises