Nearly three years after the Equifax data breach that affected more than 145 million people, the Department of Justice on Monday indicted four members of China’s People’s Liberation Army in connection with the intrusion, which officials called part of a “disturbing and unacceptable pattern” of attacks sponsored by the Chinese government.
The indictments are unlikely to have any real effect on either the four men or the PLA’s offensive cyber activities, though. Unless the men named in the indictment are caught outside of China, the Chinese government would have to voluntarily turn the operators over to the United States authorities, which is highly improbable. On a broader level, the PLA and other elements of China’s military and intelligence apparatus have been among the more prolific and successful actors in cyberespionage operations for more than a decade, U.S. officials said, something that is not likely to change as the result of this indictment.
“This is the largest theft of PII by state hackers ever recorded. China is one of the most significant threats to our national security today,” FBI Deputy Director David Bowdich said during a press conference Monday.
“We can’t take them into custody today, try them and lock them up. But one day these criminals will slip up and when they do we will be there.”
This is the second time the U.S. has charged members of China’s military in connection with an intrusion in the U.S., coming more than five years after an indictment of five Chinese military members for several attacks.
The indictment unsealed Monday names Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei as the attackers behind the operation that compromised Equifax’s infrastructure in 2017. The men are members of the PLA’s 54th Research Institute and according to the indictment, exploited a known vulnerability in Apache Struts to gain access to a web server in Equifax’s network around May 13, 2017. For the next three months, the operators used their access to move around the network and infiltrate databases that held a trove of information, including Social Security numbers, driver’s license numbers, birthdates, names, and other data, according to the indictment. The attackers also were able to steal some proprietary information from Equifax, including database designs.
“In short, this was an organized and remarkably brazen criminal heist of sensitive information."
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” said U.S. Attorney General William Barr.
“In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military.”
The Struts vulnerability that the attackers used was patched in March 2017 and the bug was widely publicized at the time and for several weeks afterward, as exploits appeared and attackers began targeting it.
During the investigation into the Equifax intrusion, the FBI identified 40 individual IP addresses associated with the attackers and began following the trail from there. The investigators discovered the attackers were using nearly three dozen serves in more than 20 countries as part of the operation and also used a number of common techniques to disguise their movements and delete files and logs.
However, the attackers were not exactly silent on the network. They uploaded and used multiple webshells over the course of their intrusion and ran about 9,000 database queries while they were there. Barr said the Equifax intrusion is part of a larger strategy by Chinese government operators to steal intellectual property and weaken U.S. companies.
“This kind of attack is of a piece with other actions by China. For years we have witnessed the voracious appetite of China for our IP,” he said during the press conference.