The US Department of Justice on Monday announced it has indicted four members of the Chinese military with hacking into the computer systems of credit monitoring firm Equifax in 2017 and stealing the personally identifiable information of nearly 150 million Americans.
The government alleges that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were members of the People’s Liberation Army Research Institute, a branch of the Chinese military, and conspired to hack into Equifax’s networks, maintain access to the computers and steal sensitive information.
Specifically, the indictment claims the defendants exploited a vulnerability in the Apache Struts Web Framework software to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to delve deeper into the network. The group reportedly spent several weeks analyzing Equifax’s database structure before collecting and compressing the files they were after, splitting them up and copying them onto computers outside of the US.
The defendants are also charged with stealing trade secrets regarding Equifax’s data compilations and database design.
Attorney General William P. Barr, who made the announcement, described the attack as a deliberate and sweeping intrusion into the private information of the American people.
Equifax CEO Richard Smith resigned shortly after the incident. In 2019, the company settled the matter with the Federal Trade Commission.
All told, the defendants are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage and conspiracy to commit wire fraud. They are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage and three counts of wire fraud.