Chinese hackers took pains to cover their fingerprints in allegedly hacking credit monitoring agency Equifax in 2017, but a senior Department of Justice official says an indictment unsealed earlier this month shows the smokescreen didn’t work.
“They’re always going to try to make our job harder,” John Demers, the assistant attorney general for national security, said Monday at San Francisco CyberTalks presented by CyberScoop. “And they’re also going to try to give themselves a basis to deny what it is I think that we’re proving in these cases.”
The charges against four officials in China’s People’s Liberation Army for allegedly stealing data on some 145 million Americans from Equifax show just how determined the hackers were in infiltrating a U.S. company (China’s foreign ministry rejected the allegations). The hackers routed their internet traffic through servers in nearly 20 countries, wiping the computer logs along the way in a bid to cover their tracks.
But Demers’ comments reflect the intense resources that Washington is willing to utilize in cases like these, from human intelligence sources abroad to the National Security Agency’s own hacking capabilities.
“One question that I will get from sometimes folks in China…is, ‘Attribution is really hard, so you never really know who did this, isn’t that right?’” Demers said. “And I say, ‘Yeah, attribution is really hard. But yet we can figure it out.”
China has repeatedly denied U.S. hacking allegations, including those involving Equifax.
Analysts say the indictment is also evidence of the cyberthreat from China’s military, and not just its civilian intelligence agency, to U.S. corporations.
After the first U.S. case of state-sponsored espionage against the PLA in 2014, many of the cyber-related charges brought by U.S. prosecutors have been against affiliates of the Ministry of State Security, China’s civilian spy agency. The MSS and its hackers are seen by many U.S. officials and private analysts as Beijing’s go-to arm for stealing trade secrets.
While that analysis hasn’t changed, Demers pointed to the indictment as proof of the PLA’s persistent cyber activity.
“I don’t think the PLA has ever gone away, and this shows that,” Demers said . “They’re complementing each other in their efforts,” Demers added, referring to China’s spies and military hackers.
Dmitri Alperovitch, who, until recently was the CTO of cybersecurity company CrowdStrike, called the indictment “fascinating because it proves for the first time since late 2015 that the PLA activities have not completely ceased.”
“The vast majority of the intrusions affiliated with Chinese government are still run by MSS and their contractors,” Alperovitch told CyberScoop, “but the Equifax indictment shows that PLA cyber operators are still lurking in the shadows and executing occasional operations.”