Department of Justice indicts four members of China’s PLA. “We have the capability to remove the Internet’s cloak of anonymity.” But how far will it go?
By Wolf Richter for WOLF STREET.
I normally don’t get into who hacked whom, because it happens a lot, but here we’re talking about the Equifax hack, the most damaging hack for Americans ever, where hackers stole the crown jewels of personal information – including names, birth dates, social security numbers, and addresses – of 145 million Americans. Consumer-credit ratings agency Equifax first revealed the hack in September 2017, after having discovered it on July 29, months after the hackers had perpetrated the hack.
This morning, the US Department of Justice announced that a federal grand jury had returned a nine-count indictment, charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the Equifax computer system and “stealing Americans’ personal data and Equifax’s valuable trade secrets.” These trade secrets were “Equifax’s data compilations and database designs.”
The indictment included three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud; two counts of unauthorized access and intentional damage to a protected computer; one count of economic espionage; and three counts of wire fraud.
Attorney General William Barr called it an “an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military.”
The DOJ’s press release provided some clues as to how China’s PLA hackers worked, including these standouts:
According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network.
The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States.
In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.
The defendants took steps to evade detection throughout the intrusion, as alleged in the indictment. They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.
The four individuals named in the indictment were Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, who were all members of the PLA’s 54th Research Institute, a component of the Chinese military.
The U.S. Attorney’s Office for the Northern District of Georgia, the Criminal and National Security Divisions of the Department of Justice, and the FBI’s Atlanta Field Office jointly conducted the investigation, with the FBI’s Cyber Division providing support. And Equifax “provided valuable assistance in the investigation.”
“We remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” Barr said in the statement, and added:
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”
The announcement points out that the “defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.”
But how far will this go? Not very far, I can comfortably assure you. China has in the past denied all such charges with copy-and-paste statements. One thing is certain: China isn’t going to extradite to the US any members of the PLA who’re alleged to have committed state-sponsored hacks on US companies and on Americans. Just not going to happen. If they in fact perpetrated the hack, the PLA will more likely reward them for a job well-done. But those four members are unlikely to want to blow their bonus and assorted other income anytime soon on a home in the US.
In 2019, Corporate America began rerouting its supply chain to other countries but not necessarily back to the US. Read… US Imports from China Plunged Most Ever in 2019, Shifted to Other Countries, and the Goods Trade Deficit Improved Only a Tad from Worst Level Ever
Enjoy reading WOLF STREET and want to support it? Using ad blockers – I totally get why – but want to support the site? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.