In September 2017, credit reporting agency Equifax decided to come clean: it had been hacked and personal sensitive information of 143 million, which was later revised to 147.9 million, U.S. citizens had been compromised.
The stolen personal data included names, date of birth, and Social Security numbers. Earlier this week on Monday, the U.S. Department of Justice identified the alleged culprit as China.
In its sweeping nine-count indictment, the DOJ alleged that four members of China’s People’s Liberation Army were behind the Equifax hack. The DOJ arrived at this conclusion after a multi-year investigation.
“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” said US attorney general William Barr while announcing the charges. “For years we have witnessed China’s voracious appetite for the personal data of Americans.”
The Chinese aggression dates back to a hack at the Offce of Personnel Management, which got revealed in 2015, wherein Chinese hackers had allegedly stolen highly sensitive data related to government workers. More recent examples of Chinese cyber aggression include breaches at the Marriott chain of hotels as well the hack at Anthem health insurance.
From these earlier hacks, the Equifax hack stands out due to the sheer number of those affected and the type of information that the hackers obtained. Furthermore, given that none of the Equifax data made its way to the dark web indicated a state actor rather than a common thief, states DOJ’s indictment in its thorough case.
In early 2017, the Apache Software Foundation had announced that some versions of its Apache Struts software had an exploitable vulnerability which allows attackers to remotely execute code on a targeted web application. Apache had offered a patch as well as instructions on how to fix the issue. Although Equifax was using the Apache Struts Framework in its dispute-resolution system, it ignored to patch the vulnerability. Within a few weeks, Chinese hackers were inside Equifax’s systems, said the DOJ.
Having gained a foothold in Equifax, the four alleged Chinese hackers, Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, conducted weeks of reconnaissance, running queries to get a sense of Equifax’s database structure and how many records it holds.
According to the DOJ indictment, on May 13, one of the hackers ran a Structured Query Language (SQL) command to identify the general details of an Equifax data table; he then sampled a select number of records from the database.
They uploaded web shells to gain access to Equifax’s web server and used their position to collect credentials, giving them unfettered access to back-end databases.
According to the DOJ indictment, the alleged Chinese hackers ran 9,000 queries up to the end of July.
To hide their tracts, the hackers compressed and broke up the data they wanted to steal into manageable sizes. According to the indictment, the hackers split an archive containing 49 directories into 600MB files, which they deleted after exfiltrating the data to hide their trail.
Since they were seated deep within Equifax’s network, they benefited from the company’s existing encrypted communication channels.
To further obfuscate their tracks, the PLA team allegedly set up 34 servers across 20 countries to infiltrate Equifax, making it difficult to pinpoint them as a potential attacker. They also used encrypted login protocols to mask their involvement in those servers, and in at least one instance wiped a server’s log files every day.
“We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017,” said Equifax CEO Mark Begor in a statement. “It is reassuring that our federal law enforcement agencies treat cybercrime—especially state-sponsored crime—with the seriousness it deserves.”
“Our goal collectively here, aside from just being sure this doesn’t happen to us again, is really to help to the best degree possible to help reduce the likelihood that it’ll happen with other organizations,” said Jamil Farshchi, chief information security officer at Equifax.
“This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages,” US attorney general William Barr. “Our cases reveal a pattern of state-sponsored computer intrusion and thefts by China targeting trade secrets and confidential business information.”