The US Department of Justice confirmed in February that a team of hackers from the Chinese military was behind the 2017 attack on credit rating giant Equifax.
Possibly the most significant hack in history, the People’ Liberation Army hackers are believed to have stolen the personally identifiable information (PII) of over 147.9 million people.
While the details of how the breach was conducted have been known since late 2017, with the exploitation of a reported vulnerability in the Apache Struts open source framework that Equifax was using for a customer complaints portal, the announcement was newsworthy for a couple of good reasons.
First off was the revelation that the attack was carried out by a team of only four hackers, which is impressive on its own. Second was confirmation — or the closest thing to it — of what many in the infosec community have been thinking for some time, that the Equifax hack was not the work of criminals, let alone script kiddies, doing it for the lulz. Instead it was the latest in a string of intelligence operations carried out by the Chinese government against the United States. But more on that later.
A Blast from the not so Distant Past
When Equifax finally announced in September 2017 that they had suffered a breach that led to the massive theft of data, the story continued from bad to worse. News that at least one former executive was charged with insider trading was followed up by the report that the company had been hacked via an open source component called Apache Struts.
The attackers had used a known vulnerability to gain access to Equifax’s servers and move laterally within their network, stealing credentials and data as they quietly exfiltrated the pilfered information back to base.
While every data breach can be embarrassing for a company, many deemed Equifax to border on negligence since the vulnerable component had been reported to the National Vulnerability Database (NVD) on March 7, 2017. Within two days, the Apache Foundation that managed the project issued a patch and specially alerted Equifax that they needed to address any vulnerable web servers to stay protected.
Unfortunately, Equifax was not using the right sorts of tools that would allow them to identify open source components in their codebase, and they missed the vulnerable servers.
The vulnerable servers were later exploited by the hackers, who reportedly made their move in May, quickly and quietly making off with the biggest trove of high value data reported up until that point.
The breach was only announced on September 8th of that year, staying in the primetime news as many previously unaware Americans woke up to the potential consequences of a hack against a massive data collection company like Equifax.
Meanwhile, law enforcement and the infosec community were waiting to see who would put the stolen social security and credit card numbers up for sale. However something far more interesting was underway from an unexpected source.
A Drawn Out, Coordinated Campaign
Taken on its own, Equifax was a monumental hack. However, when put into the context of a coordinated, multi-pronged intelligence gathering operation by the Chinese government, it becomes even more impressive and concerning.
Looking back over the past decade or so, hacks of the US government’s Office of Personnel Management (OPM), Marriott Hotels (Starwood), healthcare insurance provider Anthem, and then Equifax, have all been a part of the Chinese effort to gain a comprehensive mapping of Americans.
With each hack, the Chinese spy services — like the Ministry of State Security (MSS) — were able to gather new layers of data points that help them identify US government employees who are likely involved in intelligence operations or other sensitive activities. As China amasses such information, it has the potential to limit the capacity to conduct espionage activities in China, which in turn reduces visibility for US decision makers and strategic planning.
For years now, there have been warnings and media reports detailing the risk of attacks from hackers either working for the Chinese government or with its backing. Along with US government hacks, these APT teams are often linked to corporate targets as well. These hacks are most commonly in the context of corporate espionage to help give Chinese companies a competitive edge, stealing technology on a truly disturbing scale.
Given the ongoing tensions between the US and China, it is unlikely that these government-run hacks will let up anytime soon. So what lessons can be learned for the corporate community? The Equifax hack and the charge that the hackers were Chinese military personnel present a number of significant implications and takeaways for corporate entities.
The Value of Data is Subjective
For starters, there is a common misperception that an organization is not “interesting” enough to attract the attention of a state actor with the resources to pursue their target indefinitely, and therefore they do not have to take their security so seriously. None of these organizations, from Equifax to the OPM, would have thought themselves to be worthy of such attention, but each one had a dataset that was valuable enough to make the effort over.
Basic Security Standards Matter
The fact that these organizations also appeared to be implementing poor standards for their security made it easy enough for the hackers to break in and take what they wanted. The OPM and Equifax were found to have many major security flaws, including the storing of high-value data in plain text and a failure to segment off data into silos that would have limited the damage in the event of a breach.
Even APTs Sometimes go Back to Basics
Known open source vulnerabilities are the bread and butter of hackers. Along with phishing emails and the like, exploiting mistakes in the code can provide attackers with access. This is doubly true when it comes to reported vulnerabilities as they make information that could be used for exploitation readily available.
Because open source components comprise between 60-80% of the code base in modern applications, they provide a large threat surface for attack that can be impossible for teams to defend manually. If an organization is not keeping track of which open source components they are using in their software and acting immediately when new vulnerabilities are reported, then they run the risk of being caught off guard like Equifax was, despite the warning.
Hackers also know that organizations are slow to patch, and it is hard to patch what you are not aware of. Talented hackers will use every tool in their arsenal to breach their target, so make sure that you are covering all of your bases. More often than not, it is the basics that get the job done best.
What Happens Next for our Hackers?
For now, they have been “named and shamed”, marking an impressive effort by the US to identify the attackers.
Despite all the fanfare around the Equifax saga and unless they make the mistake of entering a country with an extradition treaty with the US, these hackers are unlikely to face the American justice system anytime soon.