The Chinese military personnel are accused of using a flaw in Equifax’s online dispute portal to gain access to the Equifax system and have been charged on nine counts.
The charges were filed in Atlanta (at the U.S. District Court for the Northern District of Georgia), and a federal grand jury has indicted the four personnel on nine counts. The people named in the case are Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei. They allegedly hacked into the Equifax system and retained their unauthorized access to it to steal the information of about 145 million Americans.
Attorney General William P. Barr, announcing this development, characterized it as a “brazen heist.”
“This was a deliberate and sweeping intrusion into the private information of the American people,” Barr said. “Today, we hold PLA [People’s Liberation Army] hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets and other confidential information,” he said.
Access gained through flaw in online dispute portal
The government alleges the defendants gained initial access to the Equifax system using a flaw in its online dispute portal. This allowed them to get login authorization to further explore the Equifax network. Then, they ran queries for several weeks so as to obtain sensitive information.
After accessing the information, they stored it on temporary files, compressed and divided the files, and were able to download them to computers outside the U.S. The government also alleges that the defendants stole Equifax’s trade secrets.
The charges against the defendants include:
- Conspiracy to commit computer fraud
- Conspiracy to commit economic spying
- Conspiring to commit wire fraud
- Unauthorized access to a protected computer
- Purposeful damage to a protected computer
- Economic espionage
- Three counts of wire fraud
The Federal Bureau of Investigation was also involved in the investigation.
David Bowdich, FBI deputy director, said, “Today’s announcement of these indictments further highlights our commitment to imposing consequences on cybercriminals no matter who they are, where they are or what country’s uniform they wear.”