According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network, the statement continued.
The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, these people stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and remove data from Equifax’s network to computers outside the US.
In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.
Equifax welcomed the DOJ’s actions and those of the Federal Bureau of Investigation.
"We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyber attack on Equifax in 2017. It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target US consumers, businesses and our government. The attack on Equifax was an attack on US consumers as well as the United States,” CEO Mark W Begor said.
“Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated. Combatting this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced first-hand,” Begor said.
A financial crime conference held by UK wealth management membership organisation PIMFA has been told by Commissioner Ian Dyson of the City of London Police that three-quarters of all fraud cases reported are enabled by cyber channels.
“It’s now a lot easier than robbing a bank and the rewards are far greater,” he said.