Four members of China’s People’s Liberation Army have been formally charged by the Department of justice over the 2017 hack of US credit reporting agency Equifax, according to a press release from the agency on Monday.
The four suspects – Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, were members of the 54th Research Institute, a cyberwarfare wing of the PLA. The DOJ alleges the quartet were able to gain access to Equifax’s network by exploiting a flaw in the Apache Struts Web Framework on their dispute site and using it to run over 9,000 queries on the network.
The intrusions continued for 3 months before being detected and utilized a security flaw that Apache had patched in March of 2017. It was later determined that Equifax had failed to install that patch.
The hack affected 147.7 million Americans and cost Equifax $575 million in fines, collected a massive trove of sensitive data and is considered one of the most potentially damaging cyber-attacks in US history. The culprits stole names, addresses, Social Security numbers and birthdates, all the components needed for identity theft.
The alleged hackers also used the breach to steal trade secrets regarding Equifax’s proprietary data processing & storage systems. Attorney General William Barr released a statement, calling the intrusions part of a concerted effort by the Chinese government to steal American data.
“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William P. Barr, who made the announcement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”DOJ Press Release
The four suspects have each been charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, conspiracy to commit wire fraud, two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
The indictment is embedded below.wu_zhiyong_indictment_final_0