U.S. authorities have charged four members of the Chinese People’s Liberation Army (PLA) for allegedly hacking the computer systems of the credit reporting agency Equifax and stealing the personal information of around 145 million Americans as well as Equifax’s valuable trade secrets.
According to the U.S. Department of Justice announcement, a federal grand jury in Atlanta returned an indictment alleging that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可), and Liu Lei (刘磊) broke into Equifax's computers and stole sensitive personal information of nearly half of all U.S. citizens. The four men are believed to be members of the 54th Research Institute of the Chinese People’s Liberation Army (PLA), a component of the Chinese military. The men face nine counts including conspiracy to commit computer fraud and conspiracy to commit economic espionage.
The indictment alleges that the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal to conduct reconnaissance and gather login credentials needed to move deeper in the Equifax’s network. The authorities allege that the hackers “spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system”. The data stolen from Equifax’s network was then sent to computers outside the United States.
“In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens,” the indictment said.
According to the indictment, the alleged hackers attempted to evade detection by routing traffic through approximately 34 servers located in nearly 20 countries in order to hide their true location. They also used encrypted communication channels within Equifax’s network to masquerade their activities, and wiped all the traces of their presence on the systems.
Charges against the four include counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud; as well as counts of unauthorized access and intentional damage to a protected computer, economic espionage and wire fraud.