(Written by Katie Benner)
Four members of China’s military were charged on Monday with hacking into Equifax, one of the nation’s largest credit reporting agencies, and stealing trade secrets and the personal data of about 145 million Americans in 2017.
The charges underscored China’s quest to obtain American’s data and its willingness to flout a 2015 agreement with the United States to refrain from hacking and cyberattacks, all in an effort to expand economic power and influence.
The indictment suggests the hack was part of a series of major data thefts organized by the People’s Liberation Army and Chinese intelligence agencies. China can use caches of personal information and combine them with artificial intelligence to better target U.S. intelligence officers and other officials, Attorney General William Barr said.
“This was a deliberate and sweeping intrusion into the private information of the American people,” he said.
The information stolen from Atlanta-based Equifax could reveal whether any U.S. officials are under financial stress and thus susceptible to bribery or blackmail.
Though not as large as other major breaches, the attack on Equifax was far more severe. Hackers stole names, birth dates and Social Security numbers of nearly half of all Americans — data that can be used to access information like medical histories and bank accounts.
“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” Barr said in announcing the charges at the Justice Department, citing China’s theft of records in recent years from the government’s Office of Personnel Management, Marriott International and insurance company Anthem.
The biggest of those breaches was the theft in 2015 of roughly 22 million security clearance files from the government personnel office, which keeps track of federal employees and contractors.
It quickly became clear that that data was of significant value to the Chinese government: U.S. officials with security clearances, including some of the most senior members of the government, had to reveal foreign contacts, relationships including extramarital affairs, their health history and information about their children and other family members.
The breach was so severe that the CIA had to cancel assignments for undercover officers planning to go to China; even though the CIA did not submit its employees’ information to the personnel office, those officials were often undercover as State Department or other U.S. officials.
Then it got worse. Hacks into Anthem’s database and Starwood hotels — later taken over by Marriott — appeared to have been orchestrated by the same or related Chinese groups. The United States assessed that China was building a vast database of who worked with whom in national security jobs, where they traveled and what their health histories were, according to U.S. officials.
Over time, China can use the data sets to improve its artificial intelligence capabilities to the point where it can predict which Americans will be vulnerable for future grooming and recruitment, John Demers, head of the Justice Department’s National Security Division, said in an interview.
The charges represented only the second time that the Justice Department has indicted Chinese military officers on suspicions of hacking. In 2014, five Chinese military officers were indicted in data thefts from companies including U.S. Steel, a labor union and critical infrastructure.
The Justice Department rarely secures indictments against members of foreign militaries or intelligence services, in part to avoid retaliation against American troops and spies, but Barr said it has made exceptions for state-sponsored actors who hacked into U.S. networks to steal intellectual property or interfere in U.S. elections.
In 2015, President Barack Obama and President Xi Jinping of China agreed to rein in economically motivated cyberattacks, to cooperate with requests to investigate cybercrimes and to avoid targeting critical infrastructure in each other’s countries.
While the Justice Department does not believe that economic espionage was the primary goal of the Equifax hacking, Demers said that the attack could be seen as a violation of the spirit of that deal.
“China sees economic interests and intelligence interests as one and the same,” Demers said. “Commercial benefits are national security benefits in China.”
The indictment shows that beyond signing treaties and adopting certain conventions, the United States must also be willing to publicly identify and indict state actors in criminal cases, said Megan Brown, leader of the cyber and privacy practice at law firm Wiley Rein.
“This is how we will drive international norms — by indicting people, not solely by negotiating treaties and adopting conventions,” Brown said.
The nine-count indictment accused the Chinese military of hacking into the company’s computer networks, maintaining unauthorized access to them and stealing sensitive, personally identifiable information about Americans.
Months before the attack, the U.S. government warned Equifax that its network contained a vulnerability, but the company did not patch it, according to government documents. The hacking was “entirely preventable,” a congressional study concluded in 2018.
The defendants — Wu Zhiyong, Wang Qian, Xu Ke and Lui Le, all members of the People’s Liberation Army — exploited that weakness in May 2017 to break into the network and conduct weeks of surveillance and steal Equifax employee login credentials before filching the trade secrets and data. They masked their activity by using encrypted communications and routing their internet traffic through 34 servers in nearly 20 countries, including Switzerland and Singapore, according to prosecutors.
For the most part, they managed to erase their tracks inside of the Equifax network. But investigators eventually traced their activity back to two China-based servers that connected directly to Equifax.
Investigators identified the four indicted officers by reviewing forensic data, analyzing the malware used in the attack and establishing a digital footprint that linked them to the intrusion, David Bowdich, deputy director of the FBI, said at the news conference.
In the months after Equifax was hacked, security researchers concluded that criminals, not state actors, had siphoned information over a few months after gaining access to the network. That alone was enough to force the resignation of the company’s chief executive.
But that explanation appeared increasingly suspect over time because the Equifax data — like the information gleaned from the Office of Personnel Management — did not appear broadly for sale on the dark web, where illicitly obtained information is often sold for use in cybercrime.
Law enforcement officials have not yet found evidence that the Chinese government has used the data from the Equifax hacking, Bowdich said.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines