Four members of the Chinese military have been charged by the United States for stealing the personal information of over 147 million Americans by a massive cyberattack on credit rating giant Equifax.
On Monday, Feb. 10, Attorney General William Barr announced the indictments, calling the hack “one of the largest data breaches in history.”
The court documents describe how the four Chinese—Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei—allegedly members of the People’s Liberation Army’s 54th Research Institute, stole sensitive information of a personal nature, including names and addresses of Americans. Some UK and Canadian citizens have also been compromised.
A grand jury in Atlanta returned a nine-count indictment against the four PLA operatives on Jan. 28, charging them with wire fraud, economic espionage, conspiracy to commit computer fraud, and other offenses.
“For years we have witnessed China’s voracious appetite for the personal data of Americans,” Barr said at a press conference. “This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”
“This was a deliberate and sweeping intrusion into the private information of the American people. Today we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” said Barr.
FBI Deputy Director David Bowdich described the Equifax breach as “the largest theft of sensitive [personally identifying information] by state-sponsored hackers ever recorded.”
“The scale of the theft was staggering,” Barr said.
After gaining access to the Equifax network by May 2017, the hackers were able to steal credentials through exploiting a flaw in the software, known as Apache Struts, enabling them to steal login credentials for other areas of the network.
After several weeks of running about 9,000 search queries that netted them sensitive data such as Social Security numbers and passport photos, they then bundled the files they wanted in a way to avoid detection, then transmitted them to overseas computer servers.
“They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity,” the Justice Department said in a press release.
Intelligence officials have also linked Beijing to other major cyberattacks, including the Marriott hack that exposed the personal data of roughly 500 million people.
“At the FBI we’ve been saying for years that China will do anything it can to replace the United States as the world’s leading superpower,” Bowdich said. “This indictment is about more than targeting just an American business. It’s about the brazen theft of sensitive personal information of nearly 150 million Americans.”
Chinese Foreign Ministry spokesman Geng Shuang has denied the allegations, and said on Feb. 11 that China’s regime, military, and their personnel “never engage in cybertheft of trade secrets.”