U.S. Charges Chinese Military Officers in 2017 Equifax Hacking

WASHINGTON — Four members of China’s military were charged on Monday with hacking into Equifax, one of the nation’s largest credit reporting agencies, and stealing trade secrets and the personal data of about 145 million Americans in 2017.

The charges underscored China’s quest to obtain Americans’ data and its willingness to flout a 2015 agreement with the United States to refrain from hacking and cyberattacks, all in an effort to expand economic power and influence.

The indictment suggests the hack was part of a series of major data thefts organized by the People’s Liberation Army and Chinese intelligence agencies. China can use caches of personal information and combine them with artificial intelligence to better target American intelligence officers and other officials, Attorney General William P. Barr said.

“This was a deliberate and sweeping intrusion into the private information of the American people,” he said.

The information stolen from Equifax, which is based in Atlanta, could reveal whether any American officials are under financial stress and thus susceptible to bribery or blackmail.

Though not as large as other major breaches, the attack on Equifax was far more severe. Hackers stole names, birth dates and Social Security numbers of nearly half of all Americans — data that can be used to access information like medical histories and bank accounts.

“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” Mr. Barr said at a news conference announcing the charges, citing China’s theft of records in recent years from the government’s Office of Personnel Management, Marriott International and the insurance company Anthem.

The biggest of those breaches was the theft in 2015 of roughly 22 million security clearance files from the government personnel office, which keeps track of federal employees and contractors.

It quickly became clear that the data was of significant value to the Chinese government: American officials with security clearances — including some of the most senior members of the government — had to reveal foreign contacts, relationships including extramarital affairs, health histories and information about their children and other family members.

The breach was so severe that the C.I.A. had to cancel assignments for undercover officers planning to go to China; though the agency did not submit its employees’ information to the personnel office, those individuals were often undercover as State Department or other government officials.

Then it got worse. Hacks into Anthem’s database and Starwood hotels — later taken over by Marriott — appeared to be orchestrated by the same or related Chinese groups. The United States assessed that China was building a vast database of who worked with whom in national security jobs, where they traveled and what their health histories were, according to American officials.

Over time, China can use the data sets to improve its artificial intelligence capabilities to the point where it can predict which Americans will be primed for future grooming and recruitment, John C. Demers, the assistant attorney general for national security at the Justice Department, said in an interview.

The charges were only the second time that the Justice Department has indicted Chinese military officers on suspicions of hacking. In 2014, five Chinese military officers were indicted in data thefts from a labor union, critical infrastructure and companies including U.S. Steel.

The Justice Department rarely secures indictments against members of foreign militaries or intelligence services, in part to avoid retaliation against American troops and spies, but Mr. Barr said it has made exceptions for state-sponsored actors who hacked into American networks to steal intellectual property or interfere in United States elections.

In 2015, President Barack Obama and President Xi Jinping of China agreed to rein in economically motivated cyberattacks in order to cooperate with requests to investigate cybercrimes and to avoid targeting critical infrastructure in each other’s countries.

While Justice Department officials do not believe economic espionage was the primary goal of the Equifax hacking, Mr. Demers said the attack could be seen as a violation of the spirit of that deal.

“China sees economic interests and intelligence interests as one and the same,” he said. “Commercial benefits are national security benefits in China.”

The indictment shows that in addition to signing treaties and adopting certain conventions, the United States must also be willing to publicly identify and indict state actors in criminal cases, said Megan Brown, the leader of the cyber and privacy practice at the law firm Wiley Rein.

“This is how we will drive international norms: by indicting people, not solely by negotiating treaties and adopting conventions,” she said.

The nine-count indictment accused the Chinese military of hacking into Equifax’s computer networks, maintaining unauthorized access to them and stealing sensitive, personally identifiable information about Americans.

Months before the attack, the government warned Equifax that its network contained a vulnerability, but the company did not patch it, according to government documents. The hacking was “entirely preventable,” a congressional study concluded in 2018.

The defendants — Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, all members of the People’s Liberation Army — exploited that weakness in May 2017 to break into the network, conduct weeks of surveillance and steal Equifax employee login credentials before filching trade secrets and data. They masked their activity by using encrypted communications and routing their internet traffic through 34 servers in nearly 20 countries, including Switzerland and Singapore, according to prosecutors.

For the most part, they managed to erase their tracks inside of the Equifax network. But investigators eventually traced their activity to two China-based servers that connected directly to Equifax.

Investigators identified the four indicted officers by reviewing forensic data, analyzing the malware used in the attack and establishing a digital footprint that linked them to the intrusion, David Bowdich, the deputy director of the F.B.I., said at the news conference.

In the months after Equifax was hacked, security researchers concluded that criminals, not state actors, had siphoned information over a few months after gaining access to the network. That alone was enough to force the resignation of the company’s chief executive.

But that explanation appeared increasingly suspect over time because the Equifax data — like the information gleaned from the Office of Personnel Management — did not appear broadly for sale on the so-called dark web, where illicitly obtained information is often sold for use in cybercrime.

Law enforcement officials have not yet found evidence that the Chinese government has used the data from the Equifax hacking, Mr. Bowdich said.

The company reiterated on Monday the difficulty of warding off state-sponsored attacks. Companies often fall back on that explanation; Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, pushed back after the indictment was made public.

“A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care — and face any consequences that arise from that failure,” he said in a statement.

The hackers’ encryption of their operations inside Equifax’s networks is a common technique and has raised new questions about why such sensitive data in American databases is not legally required to be encrypted, experts noted. Many companies have resisted such regulation, in part because encrypted data can be harder for them to search.

China has “pioneered an expansive approach to stealing innovation,” Christopher A. Wray, the director of the F.B.I., said last week at a conference on the threats posed by China.

He said China was racing to obtain information about sectors as diverse as agriculture and medicine to advance its economy, using a mix of legal means like company acquisitions and illicit acts like spying and cyberattacks.

“They’ve shown that they’re willing to steal their way up the economic ladder at our expense,” Mr. Wray said.

The outcry from consumers and lawmakers after the Equifax breach and the company’s clumsy response was strong: Its executives were chastised, and Equifax eventually settled with regulators for up to $700 million.

But of the 147 million consumers affected, only a little more than 10 percent had filed for some type of compensation as of Dec. 1.

Of those, more than 4.5 million filed claims for a cash payment of up to $125, one of the settlement options. But the company had set aside only $31 million for that option, which amounts to less than $7 a person.

While the thefts present a national security risk, Americans have “almost become as a country immune to these breaches,” Mr. Bowdich said.

“You hear about it in the news and you think, ‘Well there goes my credit card number, my Social Security number, my bank account information,’ and you sign up for another year of free credit card monitoring information,” he said. “We cannot think like that in this country.”

David E. Sanger contributed reporting from Washington, Nicole Perlroth from San Francisco and Tara Siegel Bernard from New York.

Source link