US govt accuses four Chinese army soldiers of hacking Equifax and siphoning 145m Americans' personal info

The United States today announced criminal charges against four Chinese Army soldiers who, it is claimed, are the hackers who stole 145 million Americans’ personal data from credit scorer Equifax.

Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, are all said to have been members of the People’s Liberation Army (PLA)’s 54th Research Institute hacking team, and are accused of illegally accessed Equifax’s customer databases. They were named by the US Department of Justice today as Attorney General William Barr condemned a “disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens.”

“The PLA hackers obtained names, birth dates, and social security numbers for the 145 million American victims, in addition to driver’s license numbers for at least 10 million Americans stored on Equifax’s databases,” said the indictment, adding that another 200,000 credit card numbers were also stolen.

It continued: “Accordingly, in a single breach, the PLA obtained sensitive personally identifiable information for nearly half of all American citizens”.

Barr said in a statement: “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”

According to court documents [PDF], the hackers exploited vulnerabilities in Equifax’s online dispute portal, which ran the Apache Struts Web Framework. It is understood patches were available to address security flaws in the software, yet Equifax’s installation remained unpatched and insecure. After gaining access to the server, the four are said to have installed web shells and run SQL commands on the databases using credentials they found on the server itself. Full details of the 2017 hack were in a US Congress report issued in late 2018.

Prosecutors allege the four used “two China-based IP addresses that connected directly to Equifax’s network” to access the servers at first, before downloading their illicitly-obtained data by using around 34 servers in “nearly twenty countries” connected over a variety of secure shell software and even old-fashioned remote desktop connections.

Equifax is going to make you work for that 125 bucks it owes each of you: Biz sneaks out Friday night rule change

READ MORE

As they rampaged through Equifax’s databases the four allegedly wiped logs daily on the rented infrastructure that was used for the hack, so as to hide their tracks.

A million Brits and Canadians also had their data stolen by the Chinese.

The American Federal Trade Commission, a regulator, promised that affected people could claim $125 each as a result of the breach. In reality it has allowed Equifax to erect ever greater hurdles in order to discourage claims and reduce the total size of the payout. ®

Bootnote

A grand jury is a bizarre American legal process in which a group of around 20 citizens picked at random are locked in a room with prosecutors and are not allowed to leave until at least half of them vote to allow some third party to be put on trial for alleged criminal offences.