On February 10, 2020, the U.S. Department of Justice announced charges against four members of China’s People’s Liberation Army (“PLA”) for their alleged involvement in the 2017 Equifax hack that resulted in the theft of the personal information of 145 million Americans.
In the nine-count indictment, the four individuals, Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, members of the PLA’s 54th Research Institute, were charged with computer fraud, economic espionage, and wire fraud for allegedly conspiring to hack into Equifax’s networks, maintain unauthorized access to those computers, and steal sensitive information, including trade secrets.
The indictment provides significant detail on the attackers’ methods, explaining that in the months leading up to July 2017, the hackers allegedly exploited a vulnerability in the Apache software used the company’s ‘online dispute’ portal, which allowed them to upload multiple unauthorized web shells to a company web server. The attackers then conducted detailed reconnaissance over the course of several weeks, before locating and using a company database service account credentials to access certain back-end databases containing sensitive information. According to the indictment, the hackers ran approximately 9,000 queries to search for and extract data from the databases.
In order to evade detection, the attackers allegedly “routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within the company’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.”
The indictments reflect a recent concerted effort by the Department of Justice to bring charges against state-sponsored hackers following attacks on American companies. Prior to 2018, the only U.S. indictment against Chinese state-sponsored hackers was in 2014, when a grand jury indicted five Chinese military hackers for computer hacking, economic espionage, and other offenses targeting American companies. Beginning in 2018, the Department of Justice has brought charges against Chinese state-sponsored hackers for a series of attacks, including an October 2018 indictment against two Chinese intelligence officers and a December 2018 indictment of two members of the hacking group known as APT10, which is associated with the Chinese Ministry of State Security.