Equifax indictment and the making of a Chinese cyber-attack

On Jan. 28, 2020, a federal grand jury for the U.S. District Court for the Northern District of Georgia returned an indictment against four members of the Chinese People’s Liberation Army (PLA), a component of the Chinese military. The indictment alleges Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei conspired with one another to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information—including names, birth dates, and social security numbers—of approximately 143 million U.S. citizens and another one million citizens in the United Kingdom and Canada.

At a high level, the conspirators evaded detection by routing traffic through approximately 34 servers located in nearly 20 countries to conceal their true location; used encrypted communication channels within Equifax’s network to blend in with normal network activity; and deleted compressed files and wiped log files daily to eliminate records of their activity.

From a broader enterprise risk management standpoint, the Equifax hack serves as a warning to all companies. In a statement, Attorney General William Barr described the Equifax hack as a “disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

In addition to Equifax, Chinese intelligence agencies were also responsible, according to Reuters, for the breach of the Marriott hotel chain’s guest reservation database that compromised the personal information of upwards of 500,000 customers, which Marriott disclosed in 2018.

According to the indictment, the conspirators exploited a vulnerability in Equifax’s online dispute portal, called Apache Struts, and then used this access to locate and obtain login credentials, “thereby falsely representing that they were authorized users,” and permitting them to further navigate Equifax’s network. The indictment further describes how, over the course of several weeks, the conspirators then searched for sensitive, personally identifiable information within Equifax’s system and then “stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States.”

In total, the attackers ran approximately 9,000 queries on Equifax’s system “while masking this activity through encrypted communication channels,” according to the indictment. “The majority of these queries were issued by conspirators using two China-based IP addresses that connected directly to Equifax’s network.”

The indictment further charges the conspirators with stealing trade secret information, namely Equifax’s data compilations and the way in which it accessed and analyzed that information. “In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” Barr said.

Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei are charged with conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. They are also charged with unauthorized access and intentional damage to a protected computer, economic espionage, and wire fraud.

In July 2019, Equifax agreed to pay up to $700 million in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and a coalition of 50 attorneys general following a multistate investigation that found Equifax failed to take basic measures to secure its network that led to the September 2017 data breach. Equifax agreed to pay $300 million to a Consumer Restitution Fund to provide affected consumers with credit-monitoring services, bringing their total (penalty plus renumeration) to nearly $1 billion.

It turns out, that first billion was just the beginning. Equifax recently was ordered to spend another billion on beefing up its security. 

According to court documents filed Jan. 13 in the U.S. District Court for the North District of Georgia, Equifax must spend “a minimum of $1 billion for data security and related technology over five years and to comply with comprehensive data-security requirements. Equifax’s compliance will be audited by an experienced, independent assessor and subject to this court’s enforcement powers.”