In September 2017, credit reporting giant Equifax came clean: It had been hacked, and the sensitive personal information of 143 million US citizens had been compromised—a number the company later revised up to 147.9 million. Names, birth dates, Social Security numbers, all gone in an unprecedented heist. On Monday, the Department of Justice identified the alleged culprit: China.
In a sweeping nine-count indictment, the DOJ alleged that four members of China’s People’s Liberation Army were behind the Equifax hack, the culmination of a years-long investigation. In terms of the number of US citizens affected, it’s one of the biggest state-sponsored thefts of personally identifiable information on record. It also further escalates already tense relations with China on multiple fronts.
“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” US attorney general William Barr said at a press conference announcing the charges. “For years we have witnessed China’s voracious appetite for the personal data of Americans.”
That aggression dates back to a hack of the Office of Personnel Management, revealed in 2015, in which Chinese hackers allegedly stole reams of highly sensitive data relating to government workers, up through the more recently disclosed breaches of the Marriott hotel chain and Anthem health insurance.
Even in that group of impactful attacks, Equifax stands out both for the sheer number of those affected and the type of information that the hackers obtained. While some had previously suspected China’s involvement—that none of the information had made its way to the dark web indicated a state actor rather than a common thief—Monday’s DOJ indictment lays out a thorough case.
The Big Hack
On May 7, 2017, Adobe announced that some versions of its Apache Struts software had a vulnerability that could allow attackers to remotely execute code on a targeted web application. It’s a serious type of bug, because it gives hackers an opportunity to meddle with a system from anywhere in the world. As part of its disclosure, Adobe also offered a patch and instructions on how to fix the issue.
Equifax, which used the Apache Struts Framework in its dispute-resolution system, ignored both. Within a week, the DOJ says, Chinese hackers were inside Equifax’s systems.
The Adobe Struts vulnerability had offered a foothold. From there, the four alleged hackers—Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei—conducted weeks of reconnaissance, running queries to give themselves a better sense of Equifax’s database structure and how many records it contained. On May 13, for instance, the indictment says that one of the hackers ran a Structured Query Language command to identify general details about an Equifax data table, then sampled a select number of records from the database.
Eventually, they went on to upload so-called web shells to gain access to Equifax’s web server. They used their position to collect credentials, giving them unfettered access to back-end databases. Think of breaking into a building: It’s a lot easier to do so if residents leave a first-floor window unlocked and you manage to steal employee IDs.
From there, they feasted. The indictment alleges that the hackers first ran a series of SQL commands to find especially valuable data. Eventually, they located a repository of names, addresses, Social Security numbers, and birth dates. The DOJ says the interlopers ran 9,000 queries in all, not stopping until the end of July.
Amassing that much data is one thing; getting it out undetected is another. China’s hackers allegedly used a few techniques to maintain access to the motherlode.