Pierluigi Paganini February 10, 2020

The United States Department of Justice charged 4 Chinese military hackers with hacking into credit reporting agency Equifax.

The United States Department of Justice officially charged 4 members of the China’s PLA’s 54th Research Institute, a division of the Chinese military, with hacking into credit reporting agency Equifax.

The four members of the Chinese military unit are Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊), the DoJ’s indictment also states that they have stolen corporate intellectual property (IP) from the company.

The four men are still at large, residing in China.

In September 2017, Equifax Inc. disclosed a cybersecurity incident that impacted approximately more than 150 million customers. 

According to Attorney General William Barr and FBI Deputy Director David Bowdich, the Equifax data breach is one of the largest hacking case ever uncovered of this type.

“A federal grand jury in Atlanta returned an indictment last week charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the computer systems of the credit reporting agency Equifax and stealing Americans’ personal data and Equifax’s valuable trade secrets.” reads the press release published by the DoJ.

The nine-count indictment alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke
(许可) and Liu Lei (刘磊) were members of the PLA’s 54^th Research Institute, a component of the Chinese military.  They allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims.”

The Equifax hack was caused by the exploitation of the CVE-2017-5638 Apache Struts vulnerability. The vulnerability was fixed in March 2017, but the credit reporting agency did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.

“They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system,” the DoJ continues.

According to the indictment, the state-sponsored hackers ran approximately 9,000 queries on Equifax’s system obtaining records for nearly half of all American citizens. Exposed data included names, birth dates, and social security numbers.

The hackers attempted to evade detection by routing the traffic through approximately 34 servers located in nearly 20 countries, they used encrypted communication channels within Equifax’s network to hide malicious the malicious traffic and wiped log files on a daily basis.

In July 2019, The Wall Street Journal revealed that Equifax will pay around $700 million to settle with the Federal Trade Commission over the 2017 data breach. The company was also fined £500,000 by the U.K.’s privacy watchdog for failing to take appropriate steps to protect its customers.

“Today’s announcement of these indictments further highlights our commitment to imposing consequences on cybercriminals no matter who they are, where they are, or what country’s uniform they wear,” said FBI Deputy Director David Bowdich.  “The size and scope of this investigation — affecting nearly half of the U.S. population, demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office.  This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning.”

Pierluigi Paganini

(SecurityAffairs – hacking, Equifax)

[adrotate banner=”5″]

[adrotate banner=”13″]