The United States has charged four Chinese military hackers in the 2017 breach of the Equifax credit reporting agency that affected nearly 150 million American citizens, Attorney General William Barr said Monday.
Barr announced the indictment of Chinese military hackers – specifically, four members of the Chinese People’s Liberation Army – for breaking into the computer systems of the credit-reporting agency Equifax, and for stealing the sensitive personal information of nearly half of all American citizens, and also Equifax’s intellectual property.
This was one of the largest data breaches in history. It came to light in the summer of 2017, when Equifax announced the theft. As alleged in the indictment, the hackers obtained the names, birth dates, and social security numbers of nearly 150 million Americans, and the driver’s license numbers of at least 10 million Americans.
As described in the indictment, the hackers broke into Equifax’s network through a vulnerability in the company’s dispute resolution website. Once in the network, the hackers spent weeks conducting reconnaissance, uploading malicious software, and stealing login credentials, all to set the stage to steal vast amounts of data from Equifax’s systems. While doing this, the hackers also stole Equifax’s trade secrets, embodied by the compiled data and complex database designs used to store the personal information.
The defendants took steps to evade detection throughout the intrusion, as alleged in the indictment. They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.
According to the nine-count indictment handed down by a grand jury in Atlanta, four members of the Chinese People’s Liberation Army, or PLA – Wang Qian, Wu Zhiyong, Xu Ke, and Liu Lei – are alleged to have conspired to hack Equifax’s computer systems and commit economic espionage. In doing so, they are alleged to have damaged Equifax’s computer systems and to have committed wire fraud.
The defendants are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. The defendants are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
The Equifax data breach had far-reaching implications for Equifax and the consumer credit industry. The company agreed to pay up to $700 million to settle claims it broke the law during the data breach and to repay harmed consumers.
The announcement is the latest in an aggressive campaign by American authorities to root out Chinese espionage operations in the United States. Since turning the spotlight on China in 2018, the U.S. has snared a growing group of Chinese government officials, business people, and academics pursuing American secrets.