U.S. Prosecutors Charge Chinese Military Officers in 2017 Equifax Breach

United States prosecutors charge 4 Chinese military officers with the 2017 Equifax hacking. The indictment charges the officers with the theft of the personal information of over 148 million individuals. Additionally, the indictment charges them with stealing trade secrets from Equifax servers.

Unpatched and Avoidable

According to a 2018 study by Congress, “such a breach was entirely preventable”. The government warned Equifax about the possibility of a breach due to a vulnerable unpatched device. A few months later the attackers used this same vulnerability to gain access to Equifax’s networks.

In July of 2019 Equifax settled with regulators for a sum of $700 million. Over 4.5 million individuals opted for the $125 payout option offered in the settlement. Equifax has only set aside $31 million for this option however leaving them about $531,500,000 short.

As one of the largest credit reporting agencies in the nation Equifax has a heightened responsibility for maintaining the security of the data they store. Equifax undeniably provides a critical service in the financial industry by aggregating large amounts of sensitive financial information. This treasure trove of data however, is a lucrative target for both cybercriminals and state-sponsored attacks.

Upon gaining access to the network, attackers explored the network “successfully locating unencrypted personally identifiable information (PII) data 265 times”. The attackers extracted data for 76 days without triggering any alarms. The reason the intruders were able to remain undetected for so long was due to a non-functioning monitoring service.

When Equifax re-enabled the monitoring services on this network segment they were immediately aware of the the suspicious traffic. As of July 30th Equifax noticed data exfiltration to a German IP address that was leased to a Chinese provider.

The report released by Congress indicates that several Equifax officials were held accountable for the breach. 8 days after the public announcement the Chief Information Officer and Chief Security Officer took an early retirement.

Chinese (Artificial) Intelligence

According to the indictment, the Equifax breach was part of a coordinated series of state sponsored cyberattacks against the United States. Other attacks with suspected Chinese involvement include:

  • leaking of 22 million security clearance files from the Office of Personnel Management
  • the hacking of Anthem Insurance
  • theft of guest records from Starwood Hotels (acquired by Marriot International)

Following the breach, this information did not surface on the dark web, where other assets of this nature are typically sold. Most ‘ordinary’ cyber criminals try to unload their bounty quickly after a hack. State sponsored entities typically retain the data for strategic uses.

“China uses personal information acquired in breaches combined with artificial intelligence to generate profiles of National Security employees and contractors.” says Attorney General William P. Barr. These cyberattacks have been a “deliberate and sweeping intrusion”.

When it rains…

One of the largest and most severe breaches was the 2015. Cyberattackers were able to make off with 22 million security clearance files from the Office of Personnel Management. This office is responsible for keeping track of federal employees and contractors.

The Chinese government immediately recognized the value of such information. This breach included highly sensitive information such as foreign contacts, relationships, health histories, and the employees’ families.

Malicious actors could apply such information to identify targets in financial distress that are ripe for blackmail, extortion, or bribery.

The indictment goes on to suggest that China is constructing a database of individuals in national security positions. This vast sea of data can then be fed to artificial intelligence algorithms.

The Chinese government has been aggressively increasing their cyber warfare capabilities. United States companies have come under increasing attack by state sponsored foreign entities. China repurposes much of the stolen IP to bolster the Chinese economy.

Additionally, China has been known to flout the 2015 agreement between President Barack Obama and President Xi Jinping that stated “neither side would carry out cyberattacks for economic gain”.


The fact that the Justice Department is willing to charge Chinese officers in the Equifax hacking is an unusual move as usually such indictments are avoided due to the potential for retaliation against undercover operatives or United States soldiers. The Justice Department has made allowances in the past for cases involving cyber attacks.

Defendants in the case are Wang Qian, Wu Zhiyong, Xu Ke, Liu Lei members of the 54th Research Institute a component of the People’s Liberation Army.

Chinese military officers charged in Equifax hacking

A long time coming…

As a result of the advanced encryption in place and the numerous jurisdictions involved, the investigation was long and slow going. Each day, the attackers wiped their tracks clean by erasing system logs.

The attackers concealed their activity within the networks by using advanced encryption techniques. While carrying out the attack, attackers routed their internet traffic through 34 different servers in approximately 19 different countries. As a result, investigators had a bureaucratic nightmare on their hands. Unfortunately there are no global laws or policies in place for dealing with cyber security incidents.

After a years long investigation officials eventually traced the traffic back to two servers based in China that made direct connections to the Equifax network. By using forensic analysis of the malware samples collected and digital footprints investigators were able to identify the 4 defendants.

One of the key takeaways of the Equifax breach is just how preventable it was. A simple unpatched system opened the door to some of the nation’s most sensitive financial information. It is only a matter of time before we see a breach as a result of the 800,000 devices still vulnerable to BlueKeep.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *