The United States has charged four Chinese military hackers over the highly damaging breach of the Equifax credit reporting agency.
It was back in September 2017 when Equifax revealed the breach to the world, which had resulted in the theft of sensitive data (names, addresses, social security numbers, dates of birth etc) belonging to 143 million US consumers (and 15.2 million British citizens).
The fallout from the hack was immense, with the credit monitoring firm being hauled up before the US Congress to face fierce criticism. The hack was also the subject of multiple investigations around the world, and it resulted in CEO Richard Smith being ‘retired’ from the credit agency.
What had made the Equifax breach especially damaging, was that the firm had discovered the breach back in July 2017 but had waited 40 days before telling the world.
Even worse, Equifax’s IT team had known about the vulnerability that was exploited by the hackers as far back as March 2017, after a security researcher had warned the firm about its vulnerability to a cyberattack months before it actually suffered the breach.
A US Congressional report that was published in December 2018 accused Equifax of failing to implement ‘adequate security’. It also concluded that the data breach was ‘entirely preventable’.
In the summer of 2019, Jun Ying, the former Chief Information Officer CIO of Equifax was sentenced to four months in a federal prison for insider trading.
Ying had sold off his stock options before the 2017 data breach became public knowledge.
And in July 2019 it was revealed that Equifax would pay an eye watering data breach settlement of around $700m to US regulators and US states.
But now after a federal grand jury in Atlanta returned an indictment last week, the United States has officially charged four members of the Chinese military with the hack.
“The nine-count indictment alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke
(许可) and Liu Lei (刘磊) were members of the PLA’s 54th Research Institute, a component of the Chinese military,” said the US Department of Justice (DoJ).
“They allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims,” said the DoJ.
The hackers are said to have spent weeks in the Equifax system, breaking into computer networks, stealing company secrets and personal data.
The hackers apparently routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location.
The hackers also apparently used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.
“This was a deliberate and sweeping intrusion into the private information of the American people,” said US Attorney General William P. Barr, who made the announcement.
“Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” he said.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” said Barr.
“In short, this was an organised and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” said Barr.
But China immediately hit back with a swift denial.
Chinese foreign ministry spokesman Geng Shuang was quoted by Reuters as denying the allegations on Tuesday and said China’s government, military and their personnel “never engage in cyber theft of trade secrets.”
Geng Shuang also said that Beijing is also a victim of US “cyber intrusion, surveillance and monitoring activities.”
“We have lodged stern representations to the US and asked it to make explanations and immediately stop such activities,” he said.
But the US maintain they are in the right in highlighting China’s alleged role in the Equifax hack.
“Today’s announcement of these indictments further highlights our commitment to imposing consequences on cybercriminals no matter who they are, where they are, or what country’s uniform they wear,” said FBI Deputy Director David Bowdich.
The Chinese defendants are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud, said the US DoJ.
The defendants are also charged with two counts of unauthorised access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
At least one security expert highlighted how some nation states have been conducting cyber warfare operations for a while now, rather than make use of conventional military operations.
“Compared to conventional war, cyber warfare offers more precision. One can control exactly what and whom to target. Also, it’s much less expensive,” said Ambuj Kumar, CEO and co-founder of Fortanix.
“This is why we will see more and more instances of cyber battles in future,” said Kumar. “This is a reminder that all businesses that are entrusted with protecting the privacy of personal information should be encrypting that data.”
“With an adversary as sophisticated and well-funded as a nation-state, it is inevitable that they will penetrate defenses and get to the data, but it is useless when encrypted,” Kumar concluded.
And ever since 2011, the United States military has explicitly warned that it has the right to retaliate with military force against a cyberattack.
In May last year, when terrorist group Hamas launched a cyberattack against Israel, it triggered Israeli warplanes to carry out a military airstrike.
That was thought to be the first time that a nation-state retaliated with physical military action in real time against a cyber attack.
Do you know all about security? Try our quiz!
Central African Republic's cryptocurrency-based Sango plan aims to boost crypto adoption, tokenisation – and even…
Hacker offers data on 1 billion Chinese citizens for sale in online forum, claims to…