Chinese military personnel charged in Equifax breach

BREAKING -- The U.S. Department of Justice announced the indictments of four members of China's military over the Equifax breach in 2017, which led to the theft of information belonging to nearly 150 million Americans.

Liu Lei, Wang Qian, Wu Zhiyong and Xu Ke were charged with computer fraud, economic espionage and wire fraud. The four, who were identified by the DOJ as members of the Chinese People's Liberation Army (PLA) 54th Research Institute, were indicted by a federal grand jury in Atlanta last week.

"This was one of the largest data breaches in history," Attorney General William Barr said during a press conference Monday. "The deliberate indiscriminate theft of vast amounts of sensitive personal data of civilians as occurred here cannot be countenanced."

According to the indictment, the PLA hackers gained access to Equifax's network and obtained database credentials from a data repository. The hackers then used the credentials to log in to various databases and obtained personally identifiable information (PII) stored in those systems. Over the course of several months, the hackers ran approximately 9,000 queries in Equifax's systems to obtain the PII.

The DOJ also said the PLA hackers tried to evade detection by using encrypted communication channels within Equifax's network, and deleting data files and wiping log files on a daily basis. The alleged hackers also routed their traffic through 34 servers located in nearly 20 countries to hide their true location. However, the indictment showed a series of IP addresses and servers in China, as well as servers in Switzerland and Singapore, connected to Equifax's network to issue unauthorized commands, deliver malicious web shells and receive stolen PII.

Equifax first revealed the data breach in September 2017, though the credit rating agency had discovered the intrusion months earlier. It was later found to have happened due to a web server that Equifax failed to properly patch; the threat actors exploited a vulnerability in the Apache Struts software used by Equifax's online dispute portal.

The Equifax breached exposed names, birth dates, Social Security numbers and addresses of approximately 148 million U.S. consumers, and also exposed the driver's licenses numbers for 10 million consumers. Equifax came under heavy criticism from the infosec community and the U.S. government for what many felt was inadequate security for consumers' private data and questionable responses to the breach once it was discovered.

The DOJ declined to comment further, and Equifax has not responded to SearchSecurity's request for comment at this time.