Chinese military personnel charged for hacking into Equifax

This kind of charging of specific foreign military or intelligence personnel for hacking US institutions is somewhat controversial in the US intelligence community [1].<p>Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.<p>Another worry is that indicting people might give away information information about your sources and methods.<p>[1] <a href="https:&#x2F;&#x2F;www.mcclatchydc.com&#x2F;news&#x2F;nation-world&#x2F;national&#x2F;national-security&#x2F;article205363554.html" rel="nofollow">https:&#x2F;&#x2F;www.mcclatchydc.com&#x2F;news&#x2F;nation-world&#x2F;national&#x2F;natio...</a>

From the article:<p>&gt;<i>The nine-count indictment alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke(许可) and Liu Lei (刘磊) were members of the PLA’s 54th Research Institute, a component of the Chinese military.</i><p>How were they identified exactly? I&#x27;m always fascinated with these DOJ indictments of foreign state actors but I&#x27;m always left wondering how they managed to narrow it down to a small group of people. I&#x27;m guessing that &quot;PLA’s 54th Research Institute&quot; employs thousands of people so how does the FBI&#x2F;DOJ identify the culprits so precisely? Is it through CIA&#x2F;NSA spying and moles inside the PLA?<p>You don&#x27;t see foreign governments identifying individual NSA employees when the NSA hacks into something... so how does the DOJ do it?

I am still waiting for Equifax leaders to be charged for their negligence. They failed to keep their software up-to-date [1], while storing sensitive information about millions of US citizens.<p>[1] <a href="https:&#x2F;&#x2F;techbeacon.com&#x2F;security&#x2F;why-equifax-breach-should-never-have-happened" rel="nofollow">https:&#x2F;&#x2F;techbeacon.com&#x2F;security&#x2F;why-equifax-breach-should-ne...</a>

<i>According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.</i>

Holy shit did not see that coming. Was sure it was some hackers out looking to sell info on dark web. Chinese government gives it a whole different motivation.

I think criminal charges against specific government hackers will probably become the norm, since no power is likely to stop hacking other powers yet no powers are too keen to start a war over it. If you&#x27;re a government hacker, I wouldn&#x27;t plan on taking any overseas vacations for the rest of your life.

Wasn&#x27;t Equifax the one that had admin&#x2F;admin as password and leaked most of its data because of complete incompetence?

The US needs to treat this as an act of war by a foreign military&#x2F;government, not as a criminal act by people acting in an individual capacity.<p>If the US can identify the individual hackers, then they should be able to identify the physical location from which the military committed the acts of war and respond with the use of force as permitted by the UN Charter and international laws and norms. By responding with grand jury indictments the US sets a terrible and dangerous precedent and is telling foreign governments the US will not do anything in response to military based acts of cyber warfare.

The indictment is linked at the bottom of the page and has interesting technical details.<p>Even more interesting is the question of how the named individuals were identified, which is not addressed in the indictment. The indictment also includes photos of three of the people indicted. This comes across as a shot across the bow to show China that the US govt can identify the individual people doing these things.

This is nuts.<p>a) They are charged with conspiring <i>with each other</i> to this, but simultaneously b) &quot;fits a disturbing and unacceptable pattern of state-sponsored computer intrusions&quot;, and in the process they managed to commit c) &quot;conspiracy to commit wire fraud&quot;<p>None of those 3 things make any sense in the face of the others. How is doing this kind of things even legal?

I remember a opinion piece claiming hackers might have piercings, tattoos, neon colored hair, which doesn’t jive well with (U.S.) government agencies where people wear suits.<p>I’m curious if there is concrete data breaking down whether recruiting for cyber security roles in the public sector is constrained by culture, compensation or something else.

&gt; They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity<p>How cool is that. They have been able to grab and correlate netflow from across <i>20 countries</i>.

The problem with being a political &quot;hack&quot; and repeatedly lying is that it creates doubt when you might be telling the truth. With William Barr&#x27;s name on this, it is weaker.

I don&#x27;t really consider this a &quot;hack&quot;, I mean Equifax left the door wide open.

&gt; <i>The defendants are charged with three counts of conspiracy to commit computer fraud.</i><p>It&#x27;s almost literally the job description of military personnel to conspire to cause mayhem abroad.

Hacking. More like shooting fish in a barrel with what we know today

It&#x27;s all about timing with public relation messages.

Isn&#x27;t this one of those cases that is never going to court?<p>Similarly to the Russian military intelligence officers that were indicted in the Muller investigations?

Well when China takes over the US, and they implement their personal credit score here, they&#x27;ll already have the profiles for the database!

Can anyone comment on what kind of damage the Chinese might be able to do with this type of data on American citizens?

And nothing will happen because no one in the US government has the cajones to do anything about it.

Just curious. How much faith do Americans have in current DOJ’s credibility after the whole Trump impeachment show and Barr’s political driven handling of Muller report? To me I believe the current DOJ can make political allegations with very weak evidence or even with no evidence at all. I am sure China would say show us the evidence and we all know it’s not gonna happen.

I wonder what Snowden thinks?

It doesn’t matter at all <i>who</i> “hacked” it, these companies are committing slander against Americans and facilitating fraud en mass.<p>The model itself is fundamentally flawed and this hack won’t be the last or the worst.

would just like to merely point out that we could use public key cryptography to solve the problem of identity theft.

Business as usual with Chinese, hope you consider an proper act of aggression

and then everyone gives away daily info in tik tok like its no big deal, but the chinese govt has everything they need now lol.

Amazed to see the US attribute anything to China instead of the usual transparent lie that North Korea was responsible

If true this is a giant failure of Chinese intelligence. It just shows how far ahead the US is that they&#x27;re able to charge specific people. The PLA needs to upgrade its capabilities if they don&#x27;t want to stay an embarassment.