“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” US attorney general William Barr said at a press conference announcing the charges. “For years we have witnessed China’s voracious appetite for the personal data of Americans.”That aggression dates back to a hack of the Office of Personnel Management , revealed in 2015, in which Chinese hackers allegedly stole reams of highly sensitive data relating to government workers, up through the more recently disclosed breaches of the Marriott hotel chain and Anthem health insurance .
Even in that group of impactful attacks, Equifax stands out both for the sheer number of those affected and the type of information that the hackers obtained. While some had previously suspected China’s involvement—that none of the information had made its way to the dark web indicated a state actor rather than a common thief—Monday’s DOJ indictment lays out a thorough case.The Big HackOn March 7, 2017, the Apache Software Foundation announced that some versions of its Apache Struts software had a vulnerability that could allow attackers to remotely execute code on a targeted web application. It’s a serious type of bug, because it gives hackers an opportunity to meddle with a system from anywhere in the world. As part of its disclosure, Apache also offered a patch and instructions on how to fix the issue.
They've negotiated a settlement with Equifax that entitles all victims to 10 years of free credit monitoring, or $125. This (unfortunately) could actually come in handy, given that Social Security numbers taken from Equifax are starting to show up on the dark web, and consumers have already suffered identity theft related to the breach, according to Pennsylvania attorney general Josh Shapiro.
Equifax, which used the Apache Struts Framework in its dispute-resolution system, ignored both . Within a few weeks, the DOJ says, Chinese hackers were inside Equifax's systems.The Apache Struts vulnerability had offered a foothold. From there, the four alleged hackers—Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei—conducted weeks of reconnaissance, running queries to give themselves a better sense of Equifax’s database structure and how many records it contained. On May 13, for instance, the indictment says that one of the hackers ran a Structured Query Language command to identify general details about an Equifax data table, then sampled a select number of records from the database.
Eventually, they went on to upload so-called web shells to gain access to Equifax’s web server. They used their position to collect credentials, giving them unfettered access to back-end databases. Think of breaking into a building: It’s a lot easier to do so if residents leave a first-floor window unlocked and you manage to steal employee IDs.From there, they feasted. The indictment alleges that the hackers first ran a series of SQL commands to find especially valuable data. Eventually, they located a repository of names, addresses, Social Security numbers, and birth dates. The DOJ says the interlopers ran 9,000 queries in all, not stopping until the end of July.
Amassing that much data is one thing; getting it out undetected is another. China’s hackers allegedly used a few techniques to maintain access to the motherlode.