The U.S. Justice Department on Monday charged four Chinese military officials for hacking into credit reporting firm Equifax in 2017 and stealing information on about 150 million Americans. It is believed to be one of the largest thefts of personal information by foreign state-sponsored hackers ever.
The criminal charges include a nine-count indictment returned by a U.S. grand jury alleging that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei — all members of the China’s People’s Liberation Army 54th Research Institute — hacked into Equifax’s servers and stole information including Social Security numbers on nearly half the U.S. population.
The indictment said the hackers exploited a weakness in the Apache Struts Web framework software used by Equifax’s portal for online disputes, and gained access to login credentials that were then used to navigate through the credit agency’s networks.
The hackers then spent several weeks running queries to identify the company’s database, search for personal information, and then downloaded the information to temporary files before exfiltrating them to computers outside the United States. In all, the hackers ran about 9,000 queries on Equifax to obtain names, birth dates and Social Security numbers for tens of millions of Americans, the indictment said.
The break-in happened two months after Apache announced a vulnerability in some versions of its software and the U.S. Computer Emergency Readiness Team issued a warning, asking companies to patch the weakness. But Equifax had failed to fix the gap, the indictment said.
“This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William Barr said at a news conference in Washington. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”
The charges mark the second major allegation against Chinese-state backed hackers for stealing a vast quantity of personal information on Americans. The first large-scale hack happened in 2015 when Chinese hackers broke into the U.S. Office of Personnel Management and took away sensitive information on about 21 million American government employees who provided information to obtain security clearances.
U.S. news reports, citing unnamed officials, have said that Chinese intelligence services also orchestrated the hack of Marriott’s Starwood hotel chain in 2018, stealing personal information on about 383 million guests including passport and travel details.
The combination of information obtained from these various hacks could be used to target U.S. officials and Americans at large, FBI Deputy Director David Bowdich, said at the news conference. But he added the FBI hasn’t seen such cyber targeting yet.
China’s targeted attacks designed to steal the personal information of Americans makes China “one of the most significant threats to national security,” Bowdich said.