The massive Equifax data breach which exposed the details of over 147 million people worldwide, has now been pinned on Chinese military hackers. The allegation is contained in an indictment by the US Department of Justice. The indictment names four members of the Chinese People’s Liberation Army. All four worked at the PLA’s 54th Research Institute.
The four individuals are Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊). They have been charged with nine-counts including:
- Allegedly conspired with each other to hack into Equifax’s computer networks
- Maintain unauthorized access to those computers
- Stealing sensitive, personally identifiable information of approximately 145 million American victims.
- Stealing trade secret information.
According to Attorney General William P. Barr: “This was a deliberate and sweeping intrusion into the private information of the American people. Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”
What is this all about?
In 2017, Equifax suffered one of the largest ever data breaches. While it affected mainly US users of the system, some Equifax customers in other countries were also affected. The data stolen included:
- Date of birth
- Social security numbers
- Credit card numbers
The hackers were able to take the data due to a number of failures in the way Equifax secured its systems. Investigators found that password security was weak and data protection poor. Two senior managers left soon after some of the initial reports into the breach were published.
The company also kept the breach secret for several weeks after it was discovered. During that period, three directors sold shares in the company to avoid losses when the news became public. Equifax also initially told customers they could not sue if they wanted compensation. However, that was later retracted and the company blamed it on an error.
The deadline to file a claim for compensation expired on the 22 January, 2020. However, there is a second deadline for any expenses occurred as a result of the breach which is detailed in the US Federal Trade Commission document.
What else did we learn from this indictment?
The indictment also contains a small amount of technical information about the attack, much of which has appeared in other reports. It says:
- The defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal.
- This allowed them to steal login credentials to gain greater access to the Equifax network.
- They ran 9,000 searches for PII, gaining information on over half the US population.
- Information was stored in temporary files until it could be exfiltrated.
- Files were deleted daily and security and access logs wiped.
- Traffic was routed through 34 servers in 20 different countries.
- Used encrypted communications to prevent detection.
Questions remain over use of the data
One of the big questions is what happened to the data? It has yet to surface as a data set on the dark web. It is possible that it was used to verify other stolen data or to flesh out user profiles that were then sold on.
There have also been suggestions that much of the data was encrypted and the hackers were unable to decrypt it. Given the reports from various companies who have investigated this breach, there is no evidence of this.
A more likely use of the data, beyond fleshing out existing profiles in individuals is in more traditional intelligence roles. Those with poor credit records or who were significantly in debt would be targets for intelligence officers, especially if their jobs gave them access to sensitive data, intellectual property or computer networks. Approaches would either be unexpected loans or blackmail where employment contracts meant financial problems could lead to job losses.
Intelligence teams are also likely to have used the data to track individuals. People keep their credit cards for long periods. This means that they can be tracked as they check into hotels, pay restaurant bills and shop. This is where data mixing from multiple breaches becomes highly valuable to governments. They can track military and diplomatic personnel and gain a deep insight into their lifestyles. All of this can later be used to apply pressure to an individual.
The problem with data breaches is that many of the uses of the data are hard to track back to the breach. If someone is blackmailed due to high debt, they are unlikely to report it. Even if they do, proving that the blackmailer obtained the data from a data breach is difficult.
Enterprise Times: What does this mean?
The US regularly issues indictments against foreigners it accuses of data breaches and hacking. It has been far more successful than other countries in tracking them down and get them extradited to the US. In this case, however, it is unlikely that these four will ever face a US court.
What is more important is that the US has named those responsible for the attack. Many of the forensic reports chose to ignore attribution and instead focused on the what happened and how. That has, hopefully, now been fully taken on board by Equifax who has yet to respond to an email asking whether they have fully implemented the actions to prevent another breach.
It would be interesting to see an intelligence analysts view on the implications of this breach. The US Government has suffered hundreds of data breaches over the last few years. This includes the massive OPM breach, the Booz Allen SOCOM breach and others. Where that data is and how it is being used by the hackers is unknown. Now members of the PLA have been named in this breach, will we see the investigation widened into understanding what has happened to all of that data and how it is being used?