US Attorney General Bill Barr announced yesterday that four employees of China’s military have been charged with the 2017 Equifax breach. The defendants, who work for the 54th Research Institute of the Chinese People’s Liberation Army (PLA) were indicted for hacking into servers owned by Equifax and stealing sensitive, personally identifying information of approximately 145 million Americans. The defendants gained access by exploiting a vulnerability in the Apache Struts Web Framework software, which was used by Equifax’s online dispute portal. The charges also allege that the hackers stole trade secrets from Equifax. The indictment states that the attackers used the initial access to steal passwords for other accounts and expand their access to other computers, operating over the course of several weeks. The stolen information was routed through approximately 34 servers in nearly 20 countries in an attempt to disguise the source of the intrusion. Equifax cooperated with the investigation by providing evidence of IP addresses and malware used by the hackers, which enabled the law enforcement investigation to uncover the true source of the intrusion.
Computer intrusions allegedly sponsored by the government of China have targeted private companies in the US and western countries for years. In 2015, the Chinese government and the United States formally agreed that both countries’ government cyber operations would not hack private companies. This indictment shows that private companies and data on American citizens are still at risk from foreign government hacking. It is important to have a good program to track critical security vulnerabilities and ensure patches are applied, especially to public-facing servers. It is also important to monitor activity on workstations and servers to quickly detect if an attacker has gained access and put a stop to intrusions before serious damage is done. The Equifax intrusion went on for several weeks and made use of stolen credentials to move laterally across multiple computer systems. Using an Endpoint Detection and Response (EDR) solution to monitor for lateral movement and attacker behaviors on workstations and servers is an important component of a defense-in-depth security strategy.
For more information, please read the DOJ public release: https://www.justice.gov/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking