The US Department of Justice (DOJ) today brought espionage charges against the four Chinese military hackers allegedly responsible for the 2017 Equifax data breach.
Widely considered one of the largest data breaches in US history, the 2017 attack exposed the personal data of nearly 150 million people. Equifax was fined more than $700 million for its role – investigators concluded that it was lackadaisical security practices on the part of Equifax employees that allowed China’s spies to infiltrate Equifax‘s computer systems.
According to the indictment, the hackers exploited a security flaw after Equifax failed to update software it’d been warned could give bad actors access.
While it remains unclear if or how the Chinese government has used the information gleaned by the hackers, new details on exactly what data was obtained is concerning to say the least.
Per a statement from the DOJ:
The defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system.
Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States.
In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.
The FBI says it’s committed to bringing cybercriminals to justice “no matter … what country’s uniform they wear.” This is according to FBI deputy director David Bowditch, who added that the charges represented a “day of reckoning” for digital assailants around the world.
However, it’s unclear exactly what Bowditch or the FBI intend to do about the situation. China isn’t going to hand over four of its military service members and US law enforcement has no way of extraditing, capturing, or arresting them.
Attorney General William Barr, speaking at a news conference announcing the indictments, said the Chinese government could potentially sell the data – which covers nearly half the population of the US – and use the proceeds to fund its artificial intelligence research.
Just last month US President Donald Trump signed a trade deal with China, indicating that his administration is more concerned with sealing an economic deal with the country than dealing with what AG Barr described as “a deliberate and sweeping intrusion into the private information of the American people.”
The US government doesn’t appear to have an answer for the problems of IP theft and hacking from the Chinese government. AG Barr offered the vague threat that “we [the US government] remind the Chinese government that we have the capability to remove the internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” and FBI deputy director Bowditch propped up the hope that the four charged hackers would “slip up” and provide US law enforcement with an opportunity to arrest them outside of China.
In the meantime, in the US, the IT departments at Equifax and the hundreds of thousands of other businesses with our sensitive data remain our only line of defense against state-sponsored military hackers from China.