Ride the Lightning

U.S. Charge Four Members of the Chinese Military in Connection with the 2017 Equifax Breach

February 13, 2020

Not a title that is likely to surprise anyone.

The Washington Post (sub.req) reported on February 11 that the Justice Department has charged four members of the Chinese military with a 2017 hack at the credit reporting agency Equifax, a massive data breach that compromised the personal information of nearly half of all Americans.

In a nine-count indictment filed in federal court in Atlanta, federal prosecutors alleged that four members of the People's Liberation Army hacked into Equifax's systems, stealing the personal data as well as company trade secrets. Attorney General William P. Barr called their efforts "a deliberate and sweeping intrusion into the private information of the American people."

The 2017 breach gave hackers access to the personal information, including Social Security numbers and birth dates, of about 145 million people. Equifax last year agreed to a $700 million settlement with the Federal Trade Commission to compensate victims. Those affected can ask for free credit monitoring or, if they already have such a service, a cash payout of up to $125 (really, all of that?), although the FTC has warned that a large volume of requests could reduce that amount.

Wang Qian, Xu Ke, Wu Zhiyong and Liu Lei are all members of the Chinese military (the PLA's 54th Research Institute) and were charged with computer fraud, economic espionage and wire fraud. (FBI). China is also suspected of being responsible for the 2015 breach of health insurer Anthem and the federal Office of Personnel Management, as well as a 2018 breach of hotel chain Marriot.

In Beijing, Chinese Foreign Ministry spokesman Geng Shuang flatly denied the charges. "The Chinese government, military and relevant personnel never engage in cybertheft of trade secrets," he said, and he accused the United States of having a "double standard" on cybersecurity.

According to the indictment, in March 2017, a software firm announced a vulnerability in one of its products, but Equifax did not patch the vulnerability on its online dispute portal, which used that software. In the months that followed, the Chinese military hackers exploited that unrepaired software flaw to steal vast quantities of Equifax's files, the indictment charges.

Officials said the hackers also took steps to cover their tracks, routing traffic through 34 servers in 20 countries to hide their location, using encrypted communication channels and wiping logs that might have given away what they were doing.

Barr said that although the Justice Department does not normally charge other countries' military or intelligence officers outside the United States, there are exceptions, and the indiscriminate theft of civilians' personal information "cannot be countenanced."

In the United States, he said, "we collect information only for legitimate, national security purposes."

I'll bet China would say the same thing.

None of the four is in custody, and officials acknowledged that there is little prospect they will come to the United States for trial. But the indictment does serve as a public shaming, and officials said that if those charged attempt to travel someday, the United States could arrest them.

The case marks the second time the Justice Department has unsealed a criminal indictment against PLA hackers for targeting U.S. commercial interests. In 2014, the Obama administration announced an indictment against five suspected PLA hackers for allegedly breaking into the computer systems of a host of American manufacturers.

Does anyone still doubt that an ongoing cyberwar is a reality?

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson