Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
China Security

Justice Dept. Charges China-backed Hackers Over Equifax Breach (techcrunch.com) 54

U.S. prosecutors have charged four hackers said to be working for the Chinese military for the 2018 cyberattack at Equifax, which led to the theft of more than 147 million credit reports in a massive data breach. From a report: Attorney general William Barr accused the four members of the Chinese People's Liberation Army of hacking into the credit giant over a period of several months. The nine-charge indictment was announced Monday against Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei. "This is the largest theft of sensitive PII by state-sponsored hackers ever recorded," said FBI deputy director David Bowdich. Equifax revealed the data breach in September 2017, months after it discovered hackers had broken into its systems. An investigation showed the company failed to patch a web server it knew was vulnerable for weeks, which let hackers crash the servers and steal massive amounts of personal data.
This discussion has been archived. No new comments can be posted.

Justice Dept. Charges China-backed Hackers Over Equifax Breach

Comments Filter:
  • by Arthur, KBE ( 6444066 ) on Monday February 10, 2020 @11:20AM (#59711112)
    What compensation am I entitled to from the Chinese 2nd People's Liberation Army?
  • nabbing those 4 guys from China...

  • China already stole everything the OPM had on me and a few million others. The equifax hack was -nothing- compared to that. I was offered a year's free credit checking from the OPM. Thanks guys! China now has my finger prints and everything else.
    • I refused to accept their offer, and refused to opt out, and so I was unilaterally offered free credit monitoring for as long as stay with the same bank.

      It sounds like you didn't understand your negotiating position. ;)

      • You don't understand. Sorry, I made bad assumption about everyone knowing who OPM is.
        OPM isn't a bank. It's the Office of Personnel Management. Basically, it is HR for the Federal government. Since I had to undergo security clearance check, finger printing, FBI background check, etc, they had pretty much EVERYTHING on me and all those other people.

        My negotiating power was exactly zero. IIRC, the letter did sort of say "sorry, not sorry!" But that was as close as they got to giving a shit.

        China now
    • My theory is this Equifax breach data actually is being used on the same project as the OPM dataset. The 54th Research Institute pretty much owns the "China Electronics Technology Group Corporation", who (in 2016) was tasked with "developing software to identify potential terrorists; using data on jobs, hobbies, consumption habits, and other behaviors." A year later and 150+ million people's jobs, consumption habits, etc is stolen by the 54th. CETC is also the one running the Social Credit System in China.
  • by kiviQr ( 3443687 )
    Where do I check my social score? To get best store do I have to post praises in social media in Chinese or can I use English?
  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Monday February 10, 2020 @11:36AM (#59711222) Homepage

    who did not bother to ensure that a known vulnerability was patched months after a fix was available ?

    • by geek ( 5680 )

      Executives don't patch systems

      • Executives don't patch systems

        No: but they should understand enough to know that application of patches needs to be done. So they must ensure that it is done. The buck stops with them, which is why, supposedly, they are paid large salaries.

    • What about the Board that picked some music major to be the chief of cyber security?
      • If you're relying on what you learnud in skool to manage your computer security, that already implies you don't read the manual, don't have any clue what the current state of the art is, and are hazardous to the process.

    • Many of them were canned, actually. People on Slashdot love to claim that none of the executives ever got in trouble because there weren't big headlines when the hammer came down on the individuals involved, but the truth of the matter is that...
      - Their CEO at the time, Richard Smith, was forced to resign within weeks of the disclosure
      - Their CIO, David Webb, was canned immediately after the hack was disclosed
      - Their CSO, Susan Mauldin (who had a Music major and apparently no technical experience), was cann

  • by Anonymous Coward
    Link: https://www.justice.gov/opa/pr... [justice.gov]

    The details contained in the charging document are allegations. The defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

    Sounds like they don't need any fact or evidences judging by the responses.

    • I honestly don't know what information I should trust anymore.
      China isn't trustworthy.
      and the United States has dropped all pretense on being the responsible country in the world. So they are just as prone to outright lying too.
      Any news source I follow has a political bias, in which I cannot trust, and social media is pure crap.

      Don't trust any government,
      Don't trust the media,
      Don't trust companies,
      Don't trust not-for-profit,
      Don't trust schools and universities....

      For some thing I can collect the data myself

      • You're not wrong. 'Truth' and 'facts' don't have set-in-stone definitions anymore.
        Now you know why so many people are dying of fentanyl overdoses, and why zoomers and millennials avoid anything that makes them put down roots: they're in fight-or-flight all the time because the entire world is hostile to them, they can't count on anything or anyone to not fuck them over, and owning anything like a house or a car, so far as they're concerned, just slows them down when they have to grab their 'go bag' and run
      • Trust The Computer. The Computer is your Friend. Not trusting The Computer is treason. Treason is punishable by death. If you do not trust The Computer, please proceed directly to your nearest available Termination Booth. Have a great day, Citizen!
  • Comment removed based on user account deletion
    • by Cederic ( 9623 )

      The real guilty ones are the ones not patching the server.

      Well, that's all of us then. I didn't patch the server either.

      Or maybe you've just never worked for a large organisation and don't understand the complexities involved.

      If anything these 4 are guilty of entering a house where they left the door open

      Oh, victim blaming. Classy.

    • by GoTeam ( 5042081 )
      Honestly, I feel like this would be more like someone coming in an unlocked or open window. Either way, the true fault falls on the people who knew that the patch should have been applied, which you covered nicely.
    • Things were taken illegally. That is still theft. BUT, because we do not hold criminal executives accountable, then this will continue.
    • The real guilty ones are the ones not patching the server.

      Uh, they used admin/admin to secure a web portal.

      Please tell us where the "patch" is for Fucking Stupid. Intelligent humans really want to know.

      • That's not what happened at all. The perpetrators uploaded a specifically crafted file into the Equifax dispute resolution site, using it's allowance for disputers to provide evidence to have specific credit report items removed. This specially crafted file exploited their unpatched Apache Struts parser called Jakarta. It had absolutely nothing to do with any credentials for the portal itself. They could have had the most intrusive MFA on the portal, and this exploit would still have allowed access.
    • You enter a house with the door open without being invited in, in most areas you can be legally shot by the owner.
      Also if you enter the house, sift threw the paperwork and copy the data, you are stealing the data, just not the physical papers. As what is stole is intellectual property (Stuff that I know that I don't want you to know).

      Yes companies should be held responsibility for data breaches, however the hackers are not innocent, and actually deserve the brunt of the punishment.

  • Was the data actually leaked or distributed?

    • IMHO it's most likely being used as part of a baseline dataset for their Social Credit System, as the 54th runs CETC, who runs the SCS. They are probably using it to ferret out Chinese citizens who's habits stray too far from a "normal consumer". If my theory is true, it will probably never be leaked...and is probably in a more secure location now than it was before LOL
  • Indictments for mass-sells of personal data to the government (US) collected by the apex social media and Google.

  • by ZombieCatInABox ( 5665338 ) on Monday February 10, 2020 @12:00PM (#59711336)

    Why just these four individuals ? If this hack was "state-sponsored" as Mr Bowdich claims, then why doesn't the indictment include president Xi Jinping ?

    Isn't an act of agression commited against a country, commited under orders of the leader of a foreign nation, what we call an act of war ? If China has commited an act of war against the US, then why doesn't the US do what is supposed to be done in these cases, which is recall its ambassador and all diplomatic staff, close all ambassies, sever all diplomatic relations, and order all US economic entities and businesses to pull out of the country ?

    Always bowing down to the leaders of a genocidal murderous repressive totalitarian regime and avoiding to offend them so you can keep doing "business" with them is not diplomacy, it's hypocricy and cowardness.

    • Yes, it's an 'act of war', technically speaking.
      However if you're expecting we respond with military force then you're going to be disappointed, because only a total madman would do that. There is such a thing as a 'proportionate response' and using military force is not 'proportionate' in this case.
      An all-out war between superpowers in the year 2020 would more-or-less end civilization as we know it on this planet. We have nukes, China has nukes, and between us we could make this planet uninhabitable. Eve
    • Not if they are using it for their internal AI algorithms in developing their Social Credit System. Technically, if so, then they aren't actually using the breech data against the US, but against their own citizens.
  • by WindBourne ( 631190 ) on Monday February 10, 2020 @12:19PM (#59711414) Journal
    They are Criminal in not protecting data.
  • I sort of blame Equifax, maybe more than China.
    Chinese hackers did what everyone expected of them.
    Equifax?
    I'd like to think that effective security from Equifax is something we should expect of them.

  • The 'why' is obvious: with that data, you could potentially destroy the economy of the United States, by destroying the lives of more than 50% of it's citizens. Totally in character for the Chinese government.
    Just this news alone could cause mass panic. Imagine everyone pulling all their money out of U.S. banks, like they did when the Great Depression started. That alone would wreck our economy.
  • ....how much jail time are the real criminals here, Equifax management, doing?
  • it seems to me that at least equifax had some business holding the data they gathered. I get annoyed when I see so many places collecting and presumably storing data they have no business retaining.
  • by twocows ( 1216842 ) on Monday February 10, 2020 @02:29PM (#59712208)
    I was one of probably like three people who actually opted for the identity theft services as the payout from the class action. I figured the extra peace of mind would probably benefit me more than than $2 check I was likely to get after everyone else applied for the money.

    That was like a year ago or so now? I haven't heard anything since then. Anyone know if they're just still working on it or something?
  • So china was responsible for, smb/cifs shares being acssesable from the internet and non it oersonell using admin accounts? I love bashing China (well its government ) As much as any one but seriously, management/it dep incompetence (see above) does not need any possibly hostile government involvement
    • by gweihir ( 88907 )

      Indeed. If these Chinese had anything to do with the attack at all, all they did was walk in an invitingly open door.

    • This breech was done via a specially crafted file that broke the Struts parser and allowed arbitrary code execution. Specifically "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Ty
  • I mean, long-term unpatched Internet-facing servers are basically an invitation. No actual "hacking" was required to get in. Also, no or broken internal network segmentation, no DLP, no anomaly-detection, essentially nothing. Negligence does not get more gross than this.

You know you've landed gear-up when it takes full power to taxi.

Working...