Print this article

US Indicts Four Chinese Military Officers For Equifax Hack

Tom Burroughes

12 February 2020

(Editor’s note: For some time, reports about cyber attacks have prompted thoughts that foreign state actors, such as China and Russia, among others, are at fault. And it is not just foreign agencies that have come under fire: the explosive claims made in 2013 by Edward Snowden about the US National Security Agency have raised concerns about the state’s treatment of private information. Paradoxically, these events have put a spotlight on the need to honour financial privacy at a time when governments have been hunting for beneficial ownership data. Cybersecurity is now a top-line spending and strategy area in the fintech space.)

The saga of how 147 million people were hit in 2017 by the hacking attack on credit rating firm Equifax took another twist earlier this week. The US Department of Justice has indicted four members of China’s People’s Liberation Army with the attacks. China has denied the allegations.

It is one of several attacks that have shaken sectors such as wealth management, forcing cybersecurity up the agenda for organisations such as family offices, advisors, private banks and investment houses. The hackers mostly affected Americans, but reports said some Canadians and UK persons were also affected.

A federal grand jury in Atlanta returned an indictment last week charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the computer systems of the credit reporting agency Equifax and stealing Americans’ personal data and Equifax’s valuable trade secrets, the DOJ said in a statement on 10 February. 

The nine-count indictment alleges that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were members of the PLA’s 54th Research Institute, a component of the Chinese military.  

“They allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorised access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims,” the DOJ’s statement said. 

Attacks on other institutions, ranging from JP Morgan through to Germany’s rail network in recent years, have fuelled fear of cybercrime. Professional services firm put the cost of cybersecurity to the global economy at $5.2 trillion over the next five years.

“This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William P Barr, who made the announcement, said. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

Exploiting vulnerability
According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network, the statement continued. 

The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, these people stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and remove data from Equifax’s network to computers outside the US.

In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.

Equifax welcomed the DOJ’s actions and those of the Federal Bureau of Investigation.

"We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyber attack on Equifax in 2017. It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target US consumers, businesses and our government. The attack on Equifax was an attack on US consumers as well as the United States,” CEO Mark W Begor said. 

“Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated.  Combatting this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced first-hand,” Begor said.  

A financial crime conference held by UK wealth management membership organisation PIMFA has been told by Commissioner Ian Dyson of the City of London Police that three-quarters of all fraud cases reported are enabled by cyber channels. 

“It’s now a lot easier than robbing a bank and the rewards are far greater,” he said.