US charges Chinese military hackers with Equifax breach

10 February 2020, 15:23 | Updated: 10 February 2020, 20:13

The US has charged four members of the Chinese military with hacking into the credit rating agency Equifax and stealing the personal data of Americans as well as the company's trade secrets.

Equifax agreed to pay up to $700m (£542m) in a settlement with US regulators over the data breach, which occurred back in 2017 and affected more than 140 million consumers.

The attackers stole personal information including social security numbers, names, dates of birth, addresses, credit card numbers and driver's licence numbers from Equifax customers and clients.

In a nine-count indictment unsealed on Monday, US prosecutors alleged that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were members of the People's Liberation Army's (PLA) 54th Research Institute, a component of the Chinese military.

The four men are accused of conspiring with each other to hack into Equifax's computer networks, maintain unauthorised access to those computers, and "steal sensitive, personally identifiable information of approximately 145 million American victims".

US Attorney General William Barr said: "This was a deliberate and sweeping intrusion into the private information of the American people.

"Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet's cloak of anonymity and find the hackers that nation repeatedly deploys against us.

"Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information."

The indictment revealed that the hackers attempted to conceal their cyber attack by routing traffic "through approximately 34 servers located in nearly 20 countries to obfuscate their true location" - and using encrypted channels within Equifax's network to blend in with normal network activity.

Last year, the US charged two hackers allegedly affiliated with Beijing's main intelligence service over a cyber espionage campaign targeting networks in the US and elsewhere.

Perhaps the most significant data breach in recent times suffered by the US has been blamed on the Chinese government.

The incident - a data breach at the US Office of Personnel Management (OPM) - has been cited as as one of the most notorious security breaches of recent years.

OPM held information on all federal workers in the US, including those working in intelligence. Roughly 21.5 million public sector workers' information was stolen in the breach.

Among the stolen documents held by OPM were copies of a document known as Standard Form 86, a 127-page questionnaire filled out by staff seeking security clearance.

It listed all of the details which US officials would collect on intelligence personnel, such as debts - which the Equifax material could plausibly be used to cross-reference - in order to see if they were at risk of being manipulated by hostile intelligence organisations.