The U.S. Department of Justice on Monday announced charges against four members of China’s People’s Liberation Army for allegedly hacking into credit reporting agency Equifax in 2017 and stealing personal information on some 145 million Americans.
The charges, which include the alleged theft of Equifax’s trade secrets, mark an escalation in the U.S. government’s long-running pressure campaign to hold alleged Chinese state-sponsored hacking to account.
“The scale of the theft was staggering,” Attorney General William Barr said Monday, adding that the Chinese hackers “invaded the privacy of many millions of Americans,” stealing data such as driver’s license numbers and Social Security Numbers.
The four officials — Wu Zhiyong, Wang Qian, Xu Ke, and Lieu Lei — are said to work for the PLA’s 54th Research Institute, which is part of the Chinese military. The defendants allegedly exploited a vulnerability in the Apache Struts software to gain persistent access to Equifax’s network.
The 2017 breach of Equifax, and the company’s lax security measures, infuriated members of Congress and led to a shake-up at the credit-reporting company. Equifax last month agreed to pay $380.5 million to victims of the breach as part of a class-action lawsuit.
In a statement, Equifax CEO Mark W. Begor thanked FBI investigators and DOJ prosecutors for pursuing the case and touted the $1.25 billion in additional security and technology spending he said his company is making between 2018 and 2020.
“The attack on Equifax was an attack on U.S. consumers as well as the United States,” Begor said.
In statements issued Monday, U.S. lawmakers such as Sen. Mark Warner, D-Virginia, criticized Equifax’s security practices prior to the breach.
While welcoming the indictment, Warner, the top Democrat on the Senate Intelligence Committee, said the charges do not “detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack.”
China has repeatedly denied it uses hacking to steal intellectual property. The Chinese Embassy in Washington, D.C., did not immediately respond to a request for comment.
A treasure trove for Chinese spies
Barr listed multiple other instances of alleged Chinese theft of U.S. data, including a hack of Marriott International’s computer networks that the hotel group disclosed in 2018. Some 383 million customer records were stolen in the breach, according to Marriott.
The data swept up in these breaches “has economic value,” Barr said, “and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence-targeting packages.”
John Demers, the assistant attorney general for national security, told CyberScoop that the Chinese government was working to make those advanced intelligence tools a future reality. For now, Demers said, the trove of personal data stolen in the Equifax and other breaches offered Beijing plenty of ammunition for targeting high-value Americans for intelligence collection.
“[In] a single breach, the PLA obtained sensitive personally identifiable information for nearly half of all American citizens,” says the indictment, returned by a federal grand jury in Atlanta, where Equifax is headquartered.
Jamil Jaffer, a former Department of Justice and White House official in the George W. Bush administration, said the indictment highlights China’s “larger effort to undermine our economic competitiveness and strategic position globally.”
U.S. companies need to work with each other more closely, and with the government, “to defend themselves against this committed nation-state attacker,” said Jaffer, who is now a senior vice president at IronNet Cybersecurity.
You can read the full indictment here or below.