Four Chinese Military Members Indicted For 2017 Equifax Data Breach

Four members of China’s People Liberation Army have been accused of hacking into Equifax’s computer networks and stealing sensitive, personally identifiable information of some 150 million American citizens.


Four members of China’s People Liberation Army (PLA) have been indicted for allegedly hacking into Equifax’s computer systems and stealing Americans’ personal data and Equifax’s trade secrets.

The U.S. Department of Justice announced Monday that a federal grand jury has indicted PLA members Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei on nine counts, including conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. The defendants were also indicted for unauthorized access and intentional damage to a protected computer, feds said.

“This was a deliberate and sweeping intrusion into the private information of the American people,” U.S. Attorney General William Barr said in a statement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”

Sponsored post

[Related: U.S. Justice Department Indicts Chinese Hackers For Targeting MSPs]

Zhiyong, Qian, Ke and Lei stand accused of hacking into Equifax’s computer networks, maintaining unauthorized access to those computers, and stealing sensitive, personally identifiable information of some 150 million American citizens during a three-month long campaign stretching from roughly May 13, 2017, until roughly July 30, 2017.

The four defendants reportedly exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal to obtain login credentials that could be used to further navigate Equifax’s network, according to the indictment. From there, the defendants reportedly spent weeks running queries and searching for sensitive, personally identifiable information within Equifax’s system.

“This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages,” Barr said in prepared remarks Monday.

After accessing the files of interest, the hackers are said to have stored the stolen information in temporary output files, compressed and divided the files, and ultimately download and exfiltrated the data from Equifax’s network to computers outside the United States. All told, the hackers allegedly routed traffic through some 30 servers located in nearly 20 countries to obfuscate their true location.

In sum, the U.S. Department of Justice said the hackers ran 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for some 145 million American citizens. The hackers also got their hands on driver’s license numbers for at least 10 million Americans, as well as credit card numbers and other personally identifiable information belonging to 200,000 Americans.

“In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” Barr said.

Roughly 80 percent of the United States’ economic espionage prosecutions have implicated the Chinese government, Barr said, while some 60 percent of all trade secret theft cases in recent years involved some connection to China. The indictment is highly unlikely to lead to a criminal conviction since the four defendants live in China and no extradition agreement exits between China and the United States.

The Equifax indictment comes 14 months after the U.S. Justice Department indicted two members of APT10 - a threat group associated with the Chinese Ministry of State Security - for targeting and compromising MSPs to steal their clients’ intellectual property. In that case, Zhu Hua and Zhang Shilong were charged with computer hacking, conspiracy to commit wire fraud, and aggravated identity theft.

Equifax in July agreed to a record $700 million fine to settle litigation around the 2017 data breach, which included payments of up to $425 million into a victim’s compensation fund as well as $275 million of civil penalties. The victim’s compensation fund provides affected consumers with credit monitoring services and reimburses customers that paid out-of-pocket for credit or identity monitoring services.

“Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult,” Equifax CEO Mark Begor said in a statement Monday. “Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand.”