U.S. Govt. Charges Four Members of Chinese Military With 2017 Equifax Hack

Chris Gaetano
Published Date:
Feb 10, 2020
GettyImages-hacking-1090872318The U.S. Department of Justice has laid blame for the 2017 Equifax hack, which exposed the personal information of hundreds of millions of people worldwide, on a quartet of hackers employed by China's People's Liberation Army. Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊), all members of the PLA's  54th Research Institute, are said to have exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal.

According to the criminal indictment, they used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The group spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system.  Once they accessed files of interest, they then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and Social Security numbers for nearly half of all American citizens.

The DOJ also believes the group stole trade secret information, namely Equifax’s data compilations and database designs. 

The four are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, conspiracy to commit wire fraud, two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud. Yet it is unknown whether those charges will ever be formally applied to the hackers, as, according to the New York Times, none of them is in U.S. custody, as all are based in China, which is highly unlikely to extradite them to face trial. The United States does not have an extradition treaty with China.

Click here to see more of the latest news from the NYSSCPA.