In September 2017, credit reporting giant Equifax came clean: It had been hacked, and the sensitive personal information of 143 million US citizens had been compromised—a number the company later revised up to 147.9 million. Names, birth dates, Social Security numbers, all gone in an unprecedented heist. On Monday, the Department of Justice identified the alleged culprit: China.
In a sweeping nine-count indictment, the DOJ alleged that four members of China’s People’s Liberation Army were behind the Equifax hack, the culmination of a years-long investigation. In terms of the number of US citizens affected, it’s one of the biggest state-sponsored thefts of personally identifiable information on record. It also further escalates already tense relations with China on multiple fronts.
“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” US attorney general William Barr said at a press conference announcing the charges. “For years we have witnessed China’s voracious appetite for the personal data of Americans.”
That aggression dates back to a hack of the Office of Personnel Management, revealed in 2015, in which Chinese hackers allegedly stole reams of highly sensitive data relating to government workers, up through the more recently disclosed breaches of the Marriott hotel chain and Anthem health insurance.
Even in that group of impactful attacks, Equifax stands out both for the sheer number of those affected and the type of information that the hackers obtained. While some had previously suspected China’s involvement—that none of the information had made its way to the dark web indicated a state actor rather than a common thief—Monday’s DOJ indictment lays out a thorough case.
On March 7, 2017, the Apache Software Foundation announced that some versions of its Apache Struts software had a vulnerability that could allow attackers to remotely execute code on a targeted web application. It’s a serious type of bug, because it gives hackers an opportunity to meddle with a system from anywhere in the world. As part of its disclosure, Apache also offered a patch and instructions on how to fix the issue.
Equifax, which used the Apache Struts Framework in its dispute-resolution system, ignored both. Within a few weeks, the DOJ says, Chinese hackers were inside Equifax's systems.
The Apache Struts vulnerability had offered a foothold. From there, the four alleged hackers—Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei—conducted weeks of reconnaissance, running queries to give themselves a better sense of Equifax’s database structure and how many records it contained. On May 13, for instance, the indictment says that one of the hackers ran a Structured Query Language command to identify general details about an Equifax data table, then sampled a select number of records from the database.
Eventually, they went on to upload so-called web shells to gain access to Equifax’s web server. They used their position to collect credentials, giving them unfettered access to back-end databases. Think of breaking into a building: It’s a lot easier to do so if residents leave a first-floor window unlocked and you manage to steal employee IDs.
From there, they feasted. The indictment alleges that the hackers first ran a series of SQL commands to find especially valuable data. Eventually, they located a repository of names, addresses, Social Security numbers, and birth dates. The DOJ says the interlopers ran 9,000 queries in all, not stopping until the end of July.
Amassing that much data is one thing; getting it out undetected is another. China’s hackers allegedly used a few techniques to maintain access to the motherlode.
According to the DOJ, they stored the stolen data in temporary files; especially large files they compressed and broke up into more manageable sizes. (At one point, the indictment says, they split an archive containing 49 directories into 600-megabyte chunks.) That kept their transmissions small enough to avoid suspicion. After they had exfiltrated the data, they deleted the compressed files to minimize the trail. It also helped that they were deep enough inside Equifax’s network that they could use the company’s existing encrypted communication channels to send their queries and commands. It all looked like normal network activity.
The indictment also details how the PLA team allegedly set up 34 servers across 20 countries to infiltrate Equifax, making it difficult to pinpoint them as a potential problem. They used encrypted login protocols to mask their involvement in those servers, and in at least one instance wiped a server’s log files every day. They were effectively ghosts.
Take one incident detailed by the DOJ: On July 6, 2017, one of the hackers accessed the Equifax network from a Swiss IP address. They then used a stolen username and password for a service account to get into an Equifax database. From there, they queried the database for Social Security numbers, full names, and addresses, and stored them in output files. They created a compressed file archive of the results, copied it to a different directory, and downloaded it. Data safely in hand, they then deleted the archive.
Repeat over the course of several weeks, and you wind up with 147.9 million people’s information allegedly in the hands of a foreign government.
While the operation had a certain degree of complexity, Equifax itself made their job much easier than it should have. It should have patched that initial Apache Struts vulnerability, for starters. And an FTC complaint from last summer also found that the company stored administrative credentials in an unsecured file in plaintext. It kept 145 million Social Security numbers and other consumer data in plaintext as well, rather than encrypting them. It failed to segment the databases, which would have limited the fallout. It lacked appropriate file integrity monitoring and used long-expired security certificates. The list goes on. Equifax didn't just let the alleged Chinese hackers into the vault; it left the skeleton key for every safe deposit box in plain sight.
“We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017,” Equifax CEO Mark Begor said in a statement. “It is reassuring that our federal law enforcement agencies treat cybercrime—especially state-sponsored crime—with the seriousness it deserves.”
"Our goal collectively here, aside from just being sure this doesn’t happen to us again, is really to help to the best degree possible to help reduce the likelihood that it’ll happen with other organizations," Jamil Farshchi, chief information security officer at Equifax, told WIRED.
Some elements of the Equifax hack—particularly the role of the Apache Struts vulnerability—had been public for some time. But pinning the attack on China adds an important new dimension, both in terms of the Equifax incident itself and international relations.
The US and China have gone through a turbulent few years on the cybersecurity front. In 2014, the DOJ charged five members of the PLA with hacking crimes against US companies. The following year, the two countries signed what amounted to a digital truce, one that more or less held fast throughout the remainder of the Obama administration.
Recent years, though, have seen indications that the détente is unraveling. The Marriott and Anthem hacks both began in 2014, prior to the Obama truce. But China has of late increasingly focused on cyberattacks in service of corporate espionage. That includes compromising the CCleaner security tool to create a backdoor into enterprise networks, and using its APT10 hackers to infiltrate so-called Managed Service Providers as a springboard to dozens of vulnerable companies.
That aggression, combined with allegations of rampant intellectual property theft and an ongoing trade war, have further stressed the US-China relationship. Adding Equifax to the pile is uniquely troubling.
“This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages,” Barr said. “Our cases reveal a pattern of state-sponsored computer intrusion and thefts by China targeting trade secrets and confidential business information.”
Monday's announcement marks only the second time that the US has indicted Chinese military hackers by name. (Linked with China’s Ministry of State Security, APT10 is considered non-military.) The first time was in 2014. As then, and as has increasingly been the case with named Russian hackers in DOJ allegations, the step has potential downsides.
“I worry that the Chinese will engage in tit-for-tat behavior,” says former National Security Agency analyst Dave Aitel. “It would be good to have a clear signal in terms of doctrine.”
There’s also the practicality of ever bringing the accused to face justice, given that they’re Chinese citizens working in the service of that government. “Some might wonder what good it does when these hackers are seemingly beyond our reach,” FBI deputy director David Bowdich said at Monday’s press conference. “We’ll use our unique authorities, our experiences, and our capabilities, with the help of our partners both at home or abroad, to fight this threat each and every day, and will continue to do so.”
For victims of the Equifax hack—nearly half of all US citizen—the apparent revelation that China was behind it doesn’t change much unless you’re someone the country might target for intelligence-gathering purposes. Personally identifiable information is leverage, after all. But for most people, the playbook remains the same: Keep an eye on your accounts, and get your settlement money.
The real concern is more existential. It’s unclear the extent to which this will exacerbate already troubled relationships between two global powers. Regardless, it’s unsettling how seemingly easy it was to pull off a data heist of such unprecedented proportion.
“There's a lot of interesting, mind-bending stuff here,” says Aitel. “Like that it only took four people to gather the private information of half of the United States population.”
Additional reporting by Lily Hay Newman