When Attorney General William Barr spoke on Feb. 10 about his department’s recently announced indictments of four members of China’s People’s Liberation Army in connection with the massive 2017 Equifax breach, there was more to consider than yet another state-sponsored attack on the U.S. firm.
A Staggering Theft
For security experts, the hack that exposed 150 million records on Americans and set a new standard for losses associated with computer intrusions also laid bare how public- and private sector organizations are struggling to learn the lessons of previous incidents.
“The scale of the theft was staggering,” said Attorney General Barr during a press conference on Feb. 10. In all, the four PLA members face three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud, two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud, according to the indictment. However, none of the four are likely ever to face these charges in an American court given the impossibility of extradition; this is the second time the U.S. has charged Chinese military officers with crimes against American businesses.
A Case Study in Inadequate Security
The Equifax hack is a case study on the risks surfaced by inadequate security hygiene and insufficient monitoring of an enterprise identity infrastructure. The breach enabled an invasion of the privacy of millions of Americans, as Barr described. But, as AG Barr himself noted, it is also a close cousin to the OPM breach, which happened more than three years earlier, as well as to attacks on Marriott Hotels and other high-profile firms in recent years.
“For years we have witnessed China’s voracious appetite for the personal data of Americans,” Barr said, referring as well to the massive Office of Personnel Management (OPM) hack of 2015 during which 21.5 million records were stolen from the agency, largely personal data belonging to past and current government employees including background check applications and information. China has also been alleged to be behind last year’s Marriott hotel chain breach and the 2015 breach of American insurer Anthem.
Tactics Honed in earlier Attacks
Those earlier incidents previewed many of the tactics and techniques used to compromise Equifax. Hackers started by targeting a public facing IT asset: Equifax’s online dispute portal, exploiting a known and patched vulnerability in Apache Struts to get in. From there, the attackers conducted reconnaissance of the Equifax network, obtaining login credentials that allowed them to move “laterally” across Equifax’s IT environment, furthering their reach and gaining access to more and more sensitive IT assets and data. Those included numerous databases storing personal information as well as internal documents and resources describing proprietary data compilations and database designs.
From at least mid-May 2017 to the end of July 2017, the state-sponsored hackers executed more than 9,000 queries in order to obtain data —including names, dates of birth, Social Security numbers—on the equivalent of half of the American population.
Equifax’s string of cascading failures began with its decision not to prioritize and address the critical Apache vulnerability. Successfully exploiting such a web application flaw gives the user significant privileges on the system; it’s crucial that organizations have a hold on privileged accounts, and the reach and exposure they have. In Equifax’s case, it stores data on just about every American household, and according to the U.S. Department of Justice today, the 2017 breach was also a national security threat given China’s ability to not only monetize the data if it so chose, but also to target specific individuals for surveillance.
Similar behavior and similar security failings were observed in the breach of Anthem Healthcare in 2015, which began with a compromise of a user account in an Anthem subsidiary. They were also evident in the OPM breach, which spanned 2013 to 2016. That incident saw hackers steal user credentials from KeyPoint, an OPM contractor, before gaining access to OPM’s Active Directory forest and harvesting user and administrator credentials from memory on compromised systems.
In those cases, as with Equifax, the attackers installed so-called “backdoor” malware and began locating and siphoning off sensitive data off the networks. In the case of OPM, that included data on U.S. government personnel including background checks, fingerprint scans and personal information. Both might have been prevented with relatively inexpensive security investments such as multi-factor authentication for user accounts or improved monitoring tools to spot suspicious behavior within corporate networks.
Needed: Better Security Hygiene
"Organizations need to have good hygiene in their directory services, practice least privilege with access control, and gain visibility of the way credentials are used in their environment," said QOMPLX Co-Founder and Chief Technology Officer Andrew Sellers. "That way, they maximize their chances of detection (and of minimizing impact) if they are the victim of such an APT."
China has long been accused of using state-sponsored computer intrusions and data theft for the economic benefit of Chinese companies. In October 2015, then-U.S. president Barack Obama and China’s president Xi Jinping forged the U.S.-China Cyber Agreement, which aimed to curtail economic espionage via hacking by the Chinese. This was two years before the Equifax breach. Barr said on Feb. 11 that about 80% of economic espionage prosecutions implicated the Chinese government, and 60% of trade-secret theft cases involve some connection with China.
In the short term, the incidents have been damaging to the reputation of the breached organizations, and expensive. Equifax paid more than $1 billion in breach-related costs in 2019 alone, even as government investigations and customer and shareholder lawsuits loom.
The cost for the security of the U.S., its military, and its citizens may be even greater. “This type of theft feeds China’s development of artificial intelligence tools and the creation of intelligence targeting packages,” Barr said, citing additional attacks alleged to have been carried out by the PLA’s APT10 group against nuclear installations, metals manufacturers, and the solar product industry. “This is a pattern of state-sponsored computer intrusions targeting trade secrets and personal information by China.”