The US Department of Justice has brought charges against the hackers responsible for breaking into Equifax’s computer systems and stealing the personal data of 145 million Americans. Here is a look at who was indicted and how they pulled off this massive attack.
After a two-year investigation, the US Department of Justice has brought charges against the hackers responsible for breaking into Equifax’s computer systems and stealing the personal data of 145 million Americans. The four people indicted — Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei — are members of the People’s Liberation Army (PLA), which is China’s armed forces.
“We do not normally bring criminal charges against the members of another country’s military or intelligence services outside the United States,” said US Attorney General William Barr. “In general, traditional military and intelligence activity is a separate sphere of conduct that ought not be subject to domestic criminal law.” However, an exception was made in this case because the hackers stole a massive amount of personal data of US civilians.
“This was a deliberate and sweeping intrusion into the private information of the American people. Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity,” said Barr. “Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”
The PLA members stole the personal data of nearly half of all US citizens, according to the indictment. The pilfered information included the names, birthdates, and social security numbers of 145 million US citizens, the driver’s license numbers of 10 million Americans, and the credit card numbers of 200,000 US consumers. In addition, the hackers obtained the personal data of nearly 1 million citizens of Canada and the United Kingdom.
Besides noting what the PLA members stole, the indictment gave a detailed account of how they stole it. Looking at how this breach occurred can help other companies avoid the same fate.
How the Hackers Breached Equifax’s Computer Systems
To hack into computer systems, cybercriminals often exploit software vulnerabilities. In the Equifax data breach, the PLA members exploited a vulnerability in Apache Struts, an open-source program that companies and individuals can use to build web applications.
Equifax had used Apache Struts to build an online dispute portal, which people could use to research and dispute potential inaccuracies in their credit reports. However, Equifax did not install an update that Apache had released on March 6, 2017, to fix a software vulnerability, despite security bulletins being issued by Apache and the US Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability was given the highest criticality rating because it allows unauthorized users to access the Apache Struts Web Framework and remotely execute arbitrary code.
And that is exactly what the PLA members did. Once they exploited the bug to gain access to the Apache Struts Web Framework, they created a backdoor to the web server hosting the online dispute portal. They also obtained the login credentials for a database service account, which allowed them to access additional databases within the company’s network.
The PLA members then ran a series of queries to obtain information about the company’s databases and the records in them. For example, they learned the names of tables, the names of the columns in those tables, and the type of record in each column. Through this reconnaissance, they were able to pinpoint exactly where the most sensitive data was being stored. They also discovered a few more database service account credentials, which allowed them to access even more Equifax databases.
After locating the desired personal information, the PLA members stole it. They queried the tables that contained the desired data, storing the results in temporary output files. Large output files were divided into smaller ones to enable a quicker download. The hackers also compressed the output files into archives, copied the archives to a different directory on the Equifax network, downloaded the archives to their computers, and then then deleted the archives from the directory. All this was done to reduce the risk of being detected.
The hackers also took other measures to evade detection. For instance, to hide their location, they routed traffic through more than 30 servers located in nearly 20 countries. Plus, they used encrypted communication channels within Equifax’s network to send queries so that those queries would blend in with normal network activity. The hackers’ evasion techniques worked well — they ran about 9,000 queries over a 11-week period before Equifax discovered the breach.
Sadly, the World Is Not Safer
Despite the fact that the four PLA members were indicted for the Equifax data breach, neither companies nor citizens can assume the world is a little bit safer for them. Although the four hackers were indicted, they are not in custody and hence they are free to continue their exploits.
“Some might wonder what good it does when these hackers are seemingly beyond our reach,” said David Bowdich, the deputy director of the US Federal Bureau of Investigation (FBI). “We can’t take them into custody, try them in a court of law, and lock them up. Not today anyway. But one day these criminals will slip up, and when they do, we’ll be there.”
But even if they are apprehended, there will be more hackers to take their place.
The bottom line is that companies need to make sure they have security measures in place to protect against data breaches. As the Equifax data breach illustrates, one important action is to keep the software on all devices updated so that known vulnerabilities are patched. But there are many other measures, including implementing the principle of least privilege and setting up systems to continually monitor for suspicious network activities. We can assess your business’s security measures and help you develop an effective strategy to defend against data breaches.