2017 Equifax Hack: ‘It was the Chinese Army,’ Alleges DoJ

The U.S. government has indicted four Chinese citizens, accusing them of a huge hack of Equifax. As you might recall, this was the breach that leaked more than 150 million people’s data.

The DoJ alleges Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可), and Liu Lei (刘磊) did the dirty deed, and that they’re members of the Chinese military—specifically, the PLA’s 54th Research Institute. In the West, the group is variously known as APT10, Cloud Hopper, CVNX, MenuPass, Potassium, Red Apollo, RedLeaves or Stone Panda.

Cute names. Scary stuff. In today’s SB Blogwatch, we live in interesting times.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 구시 가지 도로.


What’s the craic? Doina Chiacu—“U.S. charges four Chinese military hackers in 2017 Equifax breach”:

 Attorney General William Barr said … “This was one of the largest data breaches in history.” … The indictment charges four members of the Chinese Liberation Army, he said.

Roughly 147 million [US] people had information, including Social Security numbers and driver’s license data, compromised by the breach. … The Chinese Embassy in Washington did not immediately respond to a request for comment.

And Eric Geller adds—“U.S. charges Chinese spies”:

 Officials said the massive hack by the members of China’s People’s Liberation Army underscored Beijing’s aggressive pattern of stealing private data to improve its intelligence operations and boost the performance of its domestic companies. … A grand jury in Atlanta returned a nine-count indictment against PLA operatives Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei … charging them with wire fraud, economic espionage, conspiracy to commit computer fraud and other offenses.

Chinese spies have ramped up espionage-focused hacking in recent years. Their targets — including the Office of Personnel Management and the health insurance titan Anthem — reflect Beijing’s desire to amass dossiers on Americans, especially those with security clearances, in the hope of compromising them.

If the previous cases are any indication, there’s little chance the [accused] will be apprehended … anytime soon. Officials routinely acknowledge as much when announcing charges against state-backed hackers, but they say that the charges put bad actors on notice and curtail their ability to live normal lives.

But how else to respond? throwaway_tech suggestifies thuswise:

 The US needs to treat this as an act of war by a foreign military/government, not as a criminal act by people … and respond with the use of force as permitted by the UN Charter and international laws and norms. By responding with grand jury indictments the US sets a terrible and dangerous precedent and is telling foreign governments the US will not do anything in response to military based acts of cyber warfare.

The UN Charter only permits a response in proportion to the offense. I do think an act of cyber warfare may legally allow us of “armed force” but it would likely have to be limited to targeting the installations where the attacks were coming from (but realistically it is a new and undeveloped area of law with respect to cyber warfare).

So why does it matter? Nick Johnston tells us “Why it matters”:

 The announcement comes at a fraught time for U.S.-China relations — just weeks after the signing of a critical “phase one” trade deal that ratcheted down economic tension between the two nations. [It] brings the issue of Chinese government-backed intellectual property theft — a top Trump administration worry — back to the forefront.

It isn’t the first massive China-backed corporate hack, as a Marriott data breach that affected as many as 500 million customers as far back as 2014 was tied to Chinese intelligence services in 2018.

Are the four part of a known hacking group? Zack Whittaker’s article is apt: [You’re fired—Ed.]

 The hackers are said to be part of the APT10 group, a notorious Beijing-backed hacking group that was previously blamed for hacking into dozens of major U.S. companies and government systems, including HPE, IBM, and NASA’s Jet Propulsion Laboratory.

An investigation showed [Equifax] failed to patch a web server it knew was vulnerable for weeks, which let hackers crash the servers and steal massive amounts of personal data. Names, addresses, Social Security numbers … driver license and credit card numbers were stolen in the breach. The data breach also affected British and Canadian nationals. … Equifax later settled with the Federal Trade Commission to pay at least $575 million in fines.

Neither Equifax nor the Chinese Consulate in New York immediately responded to requests for comment.

APT10? Sing, William Tsing—“The Advanced Persistent Threat files”:

 These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups. … First observed in 2009, APT10 is most commonly attributed … to the Chinese Ministry of State Security (MSS).

Attacks are typically, but not limited to: intelligence targets surrounding trade negotiations, research and development in competition with Chinese commercial entities, and high value counter intelligence targets. … APT10 has been observed to most commonly target construction, engineering, aerospace, and regional telecoms, as well as traditional government targets.

Wait. Pause. Why are we so surprised, asks kazinator:

 It’s almost literally the job description of military personnel to conspire to cause mayhem abroad. … This is just mild espionage.

Isn’t it time someone blamed the victim? @blktechwarrior obliges:

 This is a meaningless gesture from Justice indicting someone who is not in the United States from a country you have no chance to capture or extradite them from. How about indicting someone from Equifax who left millions of Americans at risk?

And houghi angrees:

 The real guilty ones are the ones not patching the server.

If anything these 4 are [allegedly] guilty of entering a house where they left the door open. Not innocent, but not as guilty as the company responsible for that theft and that is not those 4. That is [Equifax] itself.

Meanwhile, fma triangulates for great justice:

 The [Office of Personnel Management] hack was supposedly done by the Chinese government, too. … It would be easy to know who to bribe if you know who works in government, and which one has debt.

And Finally:

구시 가지 도로

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Dept. of Justice

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 452 posts and counting.See all posts by richi