WASHINGTON – The Justice Department announced charges on Monday against four members of China's armed forces for suspecting that they hacked Equifax, one of the country's largest credit reporting agencies, and stole trade secrets and personal data of some 145 million of Americans in 2017.
"This was a deliberate and radical intrusion into the private information of the American people," said Attorney General William P. Barr.
The charges underscored China's search for the personal data of Americans and their willingness to breach a 2015 agreement with the United States to refrain from hacking and cyber attacks, all in an effort to expand power and economic influence.
The accusation suggests that the hack was part of a series of important data thefts organized by the People's Liberation Army and Chinese intelligence agencies. China can use personal information caches and combine them with artificial intelligence to better attack US intelligence officers and other officials, Barr said at a press conference announcing the charges.
The stolen information from Equifax, based in Atlanta, could reveal whether an American official is under financial stress and is therefore susceptible to bribery or blackmail.
Although it is not as large as other major infractions, The attack on Equifax was much more severe. Hackers stole names, birth dates and Social Security numbers of almost half of all Americans, data that can be used to access information such as medical records and bank accounts.
"This type of attack on American industry is part of other Chinese illegal acquisitions of sensitive personal data," Barr said in announcing the charges in the Department of Justice, citing the theft of records from China in recent years of the Personnel Office. of the government. Management, Marriott International and the Anthem insurance company.
The biggest of those violations was the theft in 2015 of approximately 22 million security clearance files from the government personnel office, which tracks federal employees and contractors.
It quickly became clear that the data had significant value for the Chinese government: US officials with security clearance, including some of the most important members of the government, had to reveal foreign contacts, relationships that include extramarital affairs, medical records and information. about their children and other family members.
The violation was so serious that the C.I.A. he had to cancel assignments for undercover officers who plan to go to China; Although the agency did not send the information of its employees to the personnel office, these people were often undercover as a State Department or other government officials.
Then it got worse. The hackers in the Anthem database and Starwood hotels, later taken over by Marriott, seemed to be orchestrated by the same or related Chinese groups. The United States assessed that China was building a vast database of who worked with whom in national security jobs, where they were traveling and what their health records were, according to US officials.
Over time, China can use the datasets to improve its artificial intelligence capabilities to the point where it can predict which Americans will be prepared for future preparation and recruitment, John C. Demers, the assistant attorney general for national security at the Department of Justice said in an interview.
The charges were only the second time that the Department of Justice has accused Chinese military officers for suspected piracy. In 2014, five Chinese military officers were accused of stealing data from a labor union, critical infrastructure and businesses, including US Steel.
The Justice Department rarely secures accusations against members of foreign military or intelligence services, in part to avoid reprisals against US troops and spies, but Barr said he has made exceptions for state-sponsored actors who hacked US networks to steal intellectual property or interfere in the elections of the United States.
In 2015, President Barack Obama and President Xi Jinping of China agreed to curb cyber attacks for economic reasons to cooperate with cybercrime investigation requests and avoid attacking critical infrastructure in other countries.
While Justice Department officials do not believe that economic espionage was the main objective of the piracy of Equifax, Demers said the attack could be seen as a violation of the spirit of that agreement.
"China sees economic interests and intelligence interests as one and the same," he said. "Commercial benefits are national security benefits in China."
The indictment shows that, in addition to signing treaties and adopting certain conventions, the United States must also be willing to publicly identify and prosecute state actors in criminal cases, said Megan Brown, leader of the cyber and privacy practice at the law firm Wiley Rein. .
"This is how we will handle international standards: accusing people, not just negotiating treaties and adopting conventions," he said.
The indictment of nine charges accused the Chinese military of hacking Equifax's computer networks, maintaining unauthorized access to them and stealing sensitive and personally identifiable information about Americans.
Months before the attack, the government warned Equifax that its network contained a vulnerability, but the company did not patch it, according to government documents. The hacking was "completely preventable," a study of Congress concluded in 2018.
The defendants, Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, all members of the People's Liberation Army, exploited that weakness in May 2017 to enter the network, carry out surveillance weeks and steal login credentials Equifax employees before filing trade secrets and data. They masked their activity by using encrypted communications and routing their Internet traffic through 34 servers in almost 20 countries, including Switzerland and Singapore, according to prosecutors.
For the most part, they managed to erase their footprints within the Equifax network. But the researchers finally tracked their activity to two Chinese-based servers that connected directly to Equifax.
Investigators identified the four accused officers by reviewing forensic data, analyzing the malware used in the attack and establishing a fingerprint that linked them to the intrusion, said David Bowdich, deputy director of the F.B.I., at the press conference.
In the months after the piracy of Equifax, security investigators concluded that criminals, not state actors, had diverted the information for a few months after obtaining access to the network. That was only enough to force the resignation of the company's executive director.
But that explanation seemed increasingly suspicious over time because Equifax data, such as information obtained from the Personnel Management Office, did not generally appear for sale in the so-called dark web, where the information obtained illegally is sold for use in cybercrime.
Law enforcement officials have not yet found evidence that the Chinese government has used data from Equifax hacking, Bowdich said.
The company reiterated on Monday the difficulty of avoiding state-sponsored attacks. Companies often resort to that explanation; Senator Mark Warner of Virginia, the chief Democrat on the Senate Intelligence Committee, rejected the statement after the accusation was made public.
"A company in the business of collecting and retaining massive amounts of confidential personal information from Americans must act with utmost care and face any consequences arising from that failure," he said in a statement.
Encryption of hackers from their operations within Equifax networks is a common technique and has raised new questions about why it is not legally required to encrypt such sensitive data in US databases, experts said. Many companies have resisted such regulation, in part because encrypted data may be more difficult to search.
China "has pioneered an expansive approach to steal innovation," said Christopher A. Wray, director of F.B.I., last week at a conference on threats posed by China.
He said China was competing to obtain information on sectors as diverse as agriculture and medicine to advance its economy, using a combination of legal means such as company acquisitions and illegal acts such as espionage and cyber attacks.
"They have shown that they are willing to move up the economic ladder at our expense," said Wray.
The protest of consumers and legislators after the violation and the company's clumsy response was strong: Equifax and its executives were punished and the company finally reached an agreement with regulators for up to $ 700 million.
But just over 10 percent of the 147 million affected consumers had requested some type of compensation as of December 1.
Of these, more than 4.5 million had submitted claims for a cash payment of up to $ 125, one of the settlement options. But the company set aside only $ 31 million for the cash option, which equals less than $ 7 per person.
While thefts pose a national security risk, Americans "have almost become immune to these violations," Bowdich said.
"You hear it in the news and you think," Well, there goes my credit card number, my Social Security number, my bank account information, "and you sign up for another year of free credit card monitoring information ", said. "We can't think like this in this country."
David E. Sanger contributed reports from Washington, Nicole Perlroth of San Francisco and Tara Siegel Bernard of New York.