Chinese military hackers exploited a flaw in software that allowed U.S. consumers to dispute problems with their Equifax credit reports, giving the hackers access to the personal information of 145 million Americans, according to a criminal indictment unsealed Monday.
The 2017 breach occurred after Equifax security officials failed to install a software upgrade that had been recommended to seal off digital intruders from obtaining access to the names, birth dates and social security numbers of the victims, the indictment says.
The U.S. Department of Justice on Monday announced that a federal grand jury in Atlanta had delivered a nine-count indictment accusing four hackers and members of China’s People’s Liberation Army – Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – of serving as masterminds of the hack.
FBI Deputy Director Bowdich said there’s no evidence the Chinese military has used the stolen information for any illegal purposes. But he said the “brazen theft” illustrates that “China is one of the most significant threats to our national security today.”
Security group:Equifax had patch 2 months before hack and didn’t install it
From a technical perspective, the breach unfolded like a classic robbery.
The criminals identified a flaw in Equifax’s security system, executed a plan of attack to penetrate the system and devised a scheme to cover their tracks on their way out.
According to the indictment, the hackers:
• Recognized that Equifax had failed to install an upgrade to Apache Struts software, which Apache had recommended around March 7, 2017, and was then flagged by the U.S. Computer Emergency Readiness Team as a security threat. The software underpinned an online portal that allowed consumers to dispute their credit report details.
• Used the flaw to uploaded programming language to an Equifax server to gain remote access to the system.
• Uncovered Equifax database credentials and “thereby falsely represented that they were authorized users of Equifax’s network.”
• Searched the system about 9,000 times for sensitive personal information while hiding the searches through encryption.
• Stuffed the personal information in temporary files, compressed them and divided them into smaller-sized files to increase their chances of transmitting the stolen data without being noticed.
• Used about 34 servers in 20 countries during the breach and employed various other techniques, such as remote-desktop access and encrypted log-ins, to mask the origin of the hack.
• Deleted the compressed files after transferring the data into external storage and then configured settings to wipe out information tracking their activity.
The Apache Foundation – which oversees the widely-used open-source software that the hackers exploited to obtain access to Equifax servers – revealed in September 2017 that “the Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner.”
Equifax acknowledged at the time that the criminals who gained access to its customer data exploited a website application vulnerability known as Apache Struts CVE-2017-5638.
Equifax CEO Mark W. Begor said Monday in a statement that the company has made significant investments since the breach to bolster its data protection, including $1.25 billion for “enhanced security and technology” from 2018 to 2020.
“Our industry leading cloud technology transformation will make us more secure and enable us to innovate and develop solutions,” he said. “Today’s announcement is another positive step forward in helping us turn the page on the cybersecurity attack as we continue our focus on being a leader in data security.”
Follow USA TODAY reporter Nathan Bomey on Twitter @NathanBomey.