The US Justice Department on Monday charged four members of China's People's Liberation Army in connection with the Equifax hack, one of the largest data breaches in US history.
The four alleged Chinese military hackers are listed as Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, according to the indictment. They are charged with computer fraud, economic espionage and wire fraud.
"This is the largest theft of sensitive [personally identifiable information] by state-sponsored hackers ever recorded," FBI deputy director David Bowdich said at a press conference on Monday.
The Chinese embassy denied that its government was behind the Equifax hack, and called out the US government for its history of hacking other nations for espionage, including China.
"The Chinese government, military and relevant personnel never engage in cyber theft of trade secrets," China's foreign ministry spokesperson Geng Shuang said on Tuesday. "It has long been an open secret that the US government and relevant departments, in violation of international law and basic norms governing international relations, have been engaging in large-scale, organized and indiscriminate cyber stealing, spying and surveillance activities on foreign governments, enterprises and individuals."
This is only the second time the Justice Department has indicted Chinese military hackers, Bowdich said. The, when the US charged Chinese hackers with theft from NASA and the technology sector.
In a statement, Equifax CEO Mark Begor thanked the Justice Department for its investigation and said it's increasingly difficult to protect companies from hacks by "well-financed nation-state actors that operate outside the rule of law."
"It is reassuring that our federal law enforcement agencies treat cybercrime -- especially state-sponsored crime -- with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government," Begor said. "The attack on Equifax was an attack on U.S. consumers as well as the United States."
The 2017 cyberattack on Equifax, and the hackers got access to names, Social Security numbers, birthdates and addresses. In July 2019, the credit-monitoring agency settled with the over its security failures.
"This data has economic value and these thefts can feed China's development of artificial intelligence tools as well as the creation of intelligence-targeting packages," Attorney General William Barr said.
At the time the hack was revealed,that the company failed to patch.
According to the indictment, the four hackers took advantage of the unpatched vulnerability and infiltrated Equifax's servers on July 30, 2017. The company, despite the fact that the vulnerability had been known about for at least two months.
A congressional committee said in a 2018 report that the hack was "."
On Monday, Sen. Mark Warner, a Democrat from Virginia, echoed that point.
"The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax's systems and response to the hack," Warner said in a statement. "A company in the business of collecting and retaining massive amounts of Americans' sensitive personal information must act with the utmost care -- and face any consequences that arise from that failure."
Sen. Ron Wyden, a Democrat from Oregon, also challenged the company over its security shortcomings.
"There's no separating privacy and national security," Wyden said in a statement. "When companies like Equifax amass vast stores of sensitive personal information and then cut corners on security, they become irresistible targets for unfriendly regimes like China."
Equifax has completelyand invested $1.25 billion in security improvements, according to Jamil Farshchi, the company's chief information security officer.
The Equifax security chief noted that the company continues to fend off attempted cyberattacks every day, and expects hacks to escalate in the future. He said that given how dedicated the Chinese military hackers were, a breach could still have happened even if the vulnerability had been patched.
"They're extraordinarily sophisticated," Farshchi said in an interview. "I would say that it's possible."
Once the hackers had access to Equifax's networks, they allegedly stole login credentials and sensitive personally identifiable information on Equifax's databases, as well as trade secrets, according to court documents. Prosecutors said the Chinese military hackers attempted to cover their tracks by using about 34 servers located in nearly 20 countries, including hosting services outside of China.
Court documents charged that the alleged hackers also used encrypted communications within Equifax's network to blend in with the company's normal activities.
Barr said the Justice Department normally doesn't bring charges against military officers of another country, but noted that there were exceptions, as in Equifax's case.
"Equifax's cooperation throughout the investigation was critical to our development throughout this case," Barr said.
You can read the indictment here:
Originally published Feb. 10, 7:10 a.m. PT.
Update, 7:23 a.m. PT: Includes more details on the alleged hackers.
Update, 7:34 a.m. PT: Adds details from the indictment.
Update, 8:18 a.m. PT: Includes statement from Equifax.
Update, 9:03 a.m. PT: Adds statement from Sen. Warner.
Update, 10:32 a.m. PT: Adds statements from Sen. Wyden and Equifax CISO Jamil Farshchi.
Update, Feb. 11, 6:28 a.m. PT: Adds response from Chinese government.