Even for U.S. law enforcement, the Equifax hack was different.
Unlike in previous examples of apparent Chinese government-backed cyber-operations, the hackers behind the Equifax breach stymied police for months. After the Office of Personnel Management hack in 2015, and the Marriott breach which was disclosed in 2018, investigators were confident enough that China was involved to tell the Wall Street Journal and New York Times about their suspicions soon afterward.
With Equifax, the search for who was responsible was remarkably harder. Data stolen from the credit monitoring firm hadn’t appeared for sale on criminal forums, a possible indication of a nation-state’s involvement. And while the trove of financial information would certainly be useful to foreign intelligence agencies, using forensic data to validate that theory would prove to be a tall order.
The charges announced Monday outline a conspiracy to not only steal a massive trove of information on 145 million Americans but also get away with the theft. Unlike prior indictments filed against other hackers allegedly working on Beijing’s behalf, the 24-page filing details how the thieves routed their internet traffic through 34 servers in nearly 20 countries, extracted data in compressed files, and wiped the computer logs from a leased server on a daily basis, among other techniques.
“There was an extended period of time where, from a domestic law enforcement period, we had no idea who was behind this,” said one former Justice Department official. “There was not a straight line to China.”
‘A huge pain’
Hackers first made their way into Equifax’s systems through the digital equivalent of an open door. For two months in 2017, the company neglected to patch a known software vulnerability. Then, four officers from China’s People’s Liberation Army — Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei — spent two months inside, stealing names, Social Security numbers and other information about nearly half the people in the U.S., prosecutors say.
Making matters worse for the FBI was that Equifax representatives slowed down the investigation by refusing to share any details that weren’t vetted by outside attorneys. At times, the company moved so slowly that people inside the Justice Department briefly considered issuing a subpoena, according to the former official.
“Going through the attorneys was a huge pain in the ass, and it really slowed things down,” the former official said.
In a statement, Equifax chief information security officer Jamil Farshchi, who took the position in February 2018, said top Justice Department officials have “all acknowledged Equifax’s cooperation throughout the investigation and expressed appreciation for the important role Equifax played in collaborating with authorities following the incident in 2017. We have been working closely with law enforcement since July 2017 and appreciate the efforts of every FBI investigator and Justice Department prosecutor who participated in this investigation.”
Even when law enforcement had access to the incident data, the investigation proved to be more confusing than previous ones.
According to an unrelated December 2018 indictment against two members of China’s Ministry of State Security, attackers used a network of websites to “route the pre-programmed malicious domains in their malware to different IP addresses of computers under their control.” While those hackers used a series of cloaking techniques to disguise their activity, their malicious websites would have provided investigators with a starting point to begin mapping a larger hacking infrastructure.
Instead of registering domains to spread malware, the Equifax hackers directly connected malicious code, known as a web shell, to a server in a way that enabled them to remotely collect data from the Equifax network, according to the indictment.
By combining that tactic with legitimate administration tools, hackers were able to navigate through Equifax’s network without relying on the kind of noisy hacking techniques that might otherwise give away their identity, said security researcher Timo Steffens, who reviewed the charges.
“In other cases, individuals were identified because they were responsible for registering control server domains,” he said. “Without malware, there are no, or not many, control server domains that could be checked for registration mistakes or payment traces. There are no patterns of life that can be analyzed, like timestamps of compilation, no language resources or strings [and] no debug information.”
How this getaway compared to others
The indictment filed against two men for allegedly carrying out the 2015 data breach at Anthem health insurance, which compromised data about more than 78 million people, also described how two attackers stole data by placing it into an encrypted archive files, then sending it through multiple computers in destinations in China. They used the Citrix ShareFile data storage and transfer service, the indictment says, then worked to delete the encrypted archives of stolen files.
Compare that approach to the techniques detailed in the Equifax case.
Along with using 34 servers in roughly 20 countries, an “unheard of and unnecessary amount of effort,” according to Steffens, the group used reseller hosting services, which allowed them to disguise their traffic to make it appear as if it wasn’t coming from China.
They also used “encrypted communication channels within Equifax’s network,” which could refer to the use Equifax’s internal virtual private network, to blend in with normal network traffic. Compressing and dividing the files would have helped avoid tripping security controls, while conspirators also “configured settings on at least one of their leased servers” to delete would-be evidence on a daily basis.
For the FBI, the effect was akin to a traditional manhunt, where investigators had to examine leads as they surfaced from throughout the world. The dozens of traffic re-directs, encryption techniques and ephemeral log files were like “the modern day version of changing your identity and growing a beard and coloring your hair,” the former Justice Department official said.
“There were times when we thought we had a lead outside China, like, hemispheres away, and it required chasing all that down,” said the former official, who declined to provide any specific details about how the case moved forward.
“I just doubt this could have been done without a three-letter agency.”
The Chinese government has denied any involvement in the breach.
The indictment is available in full below.