The U.S. Department of Justice announced this week that four members of the People’s Liberation Army have been charged for the 2017 hacking of consumer credit reporting agency Equifax, making the 2017 attack the latest major data breach believed to be linked to China. None of the four alleged members of the PLA are in U.S. custody, and all are believed to be living in China. The hacked data included names, birth dates, and Social Security numbers of over 145 million Americans, nearly half of the U.S. population. At The New York Times, Katie Benner reports, providing context about other recent PLA cyberattacks, and noting suspicion that the targeting of personal data on private American citizens and government officials is part of Beijing’s greater strategy to expand global influence:
The indictment suggests the hack was part of a series of major data thefts organized by the People’s Liberation Army and Chinese intelligence agencies. China can use caches of personal information and combine them with artificial intelligence to better target American intelligence officers and other officials, Attorney General William P. Barr said.
[…] “This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” Mr. Barr said at a news conference announcing the charges, citing China’s theft of records in recent years from the government’s Office of Personnel Management, Marriott International and the insurance company Anthem.
[…] Over time, China can use the data sets to improve its artificial intelligence capabilities to the point where it can predict which Americans will be primed for future grooming and recruitment, John C. Demers, the assistant attorney general for national security at the Justice Department, said in an interview. [Source]
This becomes the second time the DOJ has indicted PLA members for hacking suspicions. In 2014, the DOJ charged five military officials for theft of sensitive trade secrets and internal communications. In February 2013 information security firm Mandiant also linked hack attacks to the PLA and described Unit 61398—the PLA division that the U.S. alleged the five indicted officials indicted in 2014 were part of.
At The Washington Post, Devlin Barrett and Matt Zapotosky provide further details on the specifics of the new indictment, and report on denials of the charges from China’s foreign ministry:
In a nine-count indictment filed in federal court in Atlanta, federal prosecutors alleged that four members of the People’s Liberation Army hacked into Equifax’s systems, stealing the personal data as well as company trade secrets. Attorney General William P. Barr called their efforts “a deliberate and sweeping intrusion into the private information of the American people.”
[…] In Beijing, Chinese Foreign Ministry spokesman Geng Shuang flatly denied the charges. “The Chinese government, military and relevant personnel never engage in cybertheft of trade secrets,” he said, and he accused the United States of having a “double standard” on cybersecurity.
“According to plenty of information that has been made public, U.S. agencies have been engaging in cyber intrusion, surveillance and monitoring activities on foreign governments, institutions, enterprises, universities and individuals, including on its allies,” Geng said. “China is also a victim of this. We have lodged stern representations to the U.S. and asked it to make explanations and immediately stop such activities.” [Source]
The data can be used by China to target U.S. government officials and ordinary citizens, including possible spies, and to find weaknesses and vulnerabilities that can be exploited — such as for purposes of blackmail. The FBI has not seen that happen yet in this case, said Deputy Director David Bowdich, though he said it “doesn’t mean it will or will not happen in the future.”
Such hacks “seem to deliberately cast a wide net” so that Chinese intelligence analysts can get deep insight into the lives of Americans, said Ben Buchanan, a Georgetown University scholar and author of the upcoming book “The Hacker and the State.”
“This could be especially useful for counterintelligence purposes, like tracking American spies posted to Beijing,” Buchanan said. [Source]
At Wired, Brian Barrett and Lily Hay Newman dig deeper into the indictment to describe the DOJ’s case on how these four accused hackers did the job:
On March 7, 2017, the Apache Software Foundation announced that some versions of its Apache Struts software had a vulnerability that could allow attackers to remotely execute code on a targeted web application. It’s a serious type of bug, because it gives hackers an opportunity to meddle with a system from anywhere in the world. As part of its disclosure, Apache also offered a patch and instructions on how to fix the issue.
Equifax, which used the Apache Struts Framework in its dispute-resolution system, ignored both. Within a few weeks, the DOJ says, Chinese hackers were inside Equifax’s systems.
The Apache Struts vulnerability had offered a foothold. From there, the four alleged hackers—Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei—conducted weeks of reconnaissance, running queries to give themselves a better sense of Equifax’s database structure and how many records it contained. On May 13, for instance, the indictment says that one of the hackers ran a Structured Query Language command to identify general details about an Equifax data table, then sampled a select number of records from the database.
Eventually, they went on to upload so-called web shells to gain access to Equifax’s web server. They used their position to collect credentials, giving them unfettered access to back-end databases. Think of breaking into a building: It’s a lot easier to do so if residents leave a first-floor window unlocked and you manage to steal employee IDs. [Source]
At The Atlantic, Robert D. Williams from Yale Law School’s Paul Tsai China Center highlights the fact that, as with the 2014 indictment, the men charged are all in China and highly unlikely to stand trial. Williams then counters theories on the U.S.’ potential strategy of deterring by public indictment by noting that it is failing to minimize the phenomenon, and argues that policies encouraging firms’ cybersecurity would be more effective:
As the Harvard law professor Jack Goldsmith and I have argued before, if deterrence is the measure of success, the United States’ Chinese-hacking indictment strategy has all the earmarks of a spectacular failure. A raft of media and government reports suggests that China’s state-sponsored cybertheft has not meaningfully diminished in response to the U.S. indictment campaign. This shouldn’t come as a surprise: The costs to China of being “named and shamed” are almost certainly dwarfed by the billions of dollars of value obtained from pilfering U.S. technologies and the untold intelligence benefits of cultivating a massive database on American citizens.
[…] Maybe indictments serve a more precise signaling function by temporally linking U.S. “disrupt and degrade” operations to the (indicted) activities they aim to counter. The United States and China are immersed in a cybersecurity dilemma in which all sides are at pains to distinguish acts of preemption and retaliation. Concepts of cyber offense and defense are blurry at best. Thus, the signaling effect of an indictment followed closely by a disruptive cyberattack could potentially help avoid misperception and mitigate escalation risks. But the opposite could also be true. If perceived by China as part of a coordinated “whole of government” effort to thwart China’s rise, indictment plus disruption could aggravate the dangers of an escalation spiral. Has the U.S. factored these considerations into its strategy?
Ultimately, efforts to discern the calculus behind the Chinese-hacking indictments are necessarily speculative and perhaps less illuminating than the simplest version of reality: that indictments are one of the few tools a vulnerable United States is willing to employ to show the public that it is “doing something” about persistent cyberthreats. It is fair to wonder whether and when the resources being devoted to this effort will be complemented by equally energetic policies to incentivize companies to adopt the basic cyber hygiene that could have prevented the Equifax breach in the first place. [Source]