On January 28, a federal grand jury in Atlanta indicted 4 Chinese military personnel for hacking into the credit reporting agency Equifax between at least May and June 2017 and for stealing Americans’ personal data and Equifax’s trade secrets. The four men — Wang Qian, Xu Ke, Liu Lei and Wu Zhiyong — are members of the 54th Research Institute of the People’s Liberation Army (PLA), that is, the Chinese armed forces, according to the US Department of Justice and the FBI.
What happened? In March 2017, Apache Struts Web Framework, an open-source web-application software that Equifax used for its online dispute portal, disclosed a vulnerability (CVE-2017-9805) that allowed attackers to remotely execute code on the targeted web application. Along with the disclosure, Apache Software Foundation also released a patch for the vulnerability. Equifax reportedly ignored both. As a result, roughly between March 13, 2017 and July 30, 2017, personally identifiable information (PII) of around 145 million Americans was leaked, Equifax had disclosed in September 2017.
What kind of data got leaked? According to the indictment, names, birth dates and social security numbers (SSNs) of around 145 million Americans, driving licence numbers of at least 10 million Americans, and credit card numbers of about 200,000 Americans were collected by hackers. PII of nearly a million UK and Canadian citizens was also harvested.
“[I]n a single breach, the PLA obtained sensitive personally identifiable information for nearly half of all American citizens.” — Indictment
Modus operandi: The 4 indicted personnel were residents of Beijing at the time and exploited this vulnerability to gain access to Equifax’s network.
- Reconnaissance: The 4 indicted Chinese nationals used this vulnerability as foothold to conduct reconnaissance of Equifax’s online dispute portal, and obtain login credentials to navigate Equifax’s network, according to the indictment. By running SQL queries, the indicted individuals identified Equifax’s database structure and searched for sensitive PII within the system.
- Exfiltration outside the US: After accessing files of interest, they downloaded and exfiltrated the data from Equifax networks to computers outside the US. Through about 9,000 queries, they obtained names, birth dates and social security numbers of around 145 million Americans, the indictment says.
- Evading detection: To avoid detection, they routed traffic through approximately 34 servers in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in, and deleted compressed files and log files on a daily basis.
“While doing this, the hackers also stole Equifax’s trade secrets, embodied by the compiled data and complex database designs used to store the personal information,” the US Attorney General William Barr said in his remarks.
What have they been charged with? They have been indicted on 9 counts:
- Three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud
- Two counts of unauthorised access and intentional damage to a protected computer
- One count of economic espionage
- Three counts of wire fraud.
‘Other Chinese illegal acquisitions of sensitive personal data’: Barr said that this attack was on par with “China’s voracious appetite for the personal data of Americans” which has included the theft of personnel records from the US Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company.
The Chinese state is sponsoring attacks on American companies: Barr said that cases in the US revealed “a pattern of state-sponsored computer intrusions and thefts by China targeting trade secrets and confidential business information”. One such group is known as APT 10, which allegedly worked in association with the Chinese Ministry of State Security to target managed service providers and their clients worldwide across industries.
“Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret theft cases in recent years involved some connection to China.” — William Barr, US Attorney General