Monday, the Department of Justice announced the indictment of four members of the Chinese Army who hacked Equifax and breached over 145 million records of nearly half of all Americans. The records included personal and financial information Equifax collected for credit scoring and reporting. Using a vulnerability in an older web application framework, the Chinese hackers were able to infiltrate the servers of Equifax and dump the data back to China. However, this is just one of several attacks that seem to be a part of a larger pattern by the Chinese.
According to the DOJ filing, the attackers leveraged an unpatched vulnerability in the Struts framework and implant a web shell that allowed them a foothold into the server infrastructure. From that initial compromise, the attackers started moving laterally and infiltrating other servers and databases for weeks, discovering what information might be available and what could be stolen.
Using the web shell access, the attackers maintained a constant connection back to a Command and Control server located in China, proxied through a Swiss server. The attackers were able to pull back social security numbers and names of persons Equifax collected information on, eventually sending the information back to the Chinese servers in small increments to prevent being detected. The attack followed a typical approach by threat actors that starts with reconnaissance and eventually ends with data exfiltration.
But the bigger question is what would the Chinese do with this information? One indicator might be found by looking at other attacks on US organizations, both government and private. In June, 2015, a breach of government personnel data happened with systems maintained by the federal government’s Office of Personnel Management. The suspected attackers were Chinese associated with the PLA, the military arm of the Chinese government.
This past year in January, Marriott International experienced a breach of information that included passport numbers and other traveler information. That breach possibly included as many as 383 million records, although the actual numbers was probably much lower. Once again, the attackers were suspected to be the Chinese military.
Going back to 2014, the insurance company Anthem was hit with a data breach by Chinese nationals. The information included passports and other personal information. This breach resulted in as many as 8 million records.
As you can see, the Chinese have been amassing a large amount of personal information on US citizens that includes names, addresses, e-mail addresses, social security numbers, and passport numbers. It’s probably one of the largest collections of information on US citizens outside the US itself and rivals most information providers here in the US. In some aspects, the Chinese could compete with some of the biggest marketing firms in the US with the amount of data they have.
However, I think there is a much different motive behind these acquisitions. The Chinese have always been known to play the long game when it comes to strategy and motive. This data could provide just what China needs to create more targeted attacks with specific purposes.
For example, by using the information gathered from OPM and public sources, China could find individuals who work for particular government agencies and send very specific phishing e-mails to them to gain access to not only their work computers, but also personal computers. With the right access, they might be able to gain footholds into strategic systems used to disrupt government operations.
Consider the information gained from Equifax which also identifies employers. That information could be used to allow the Chinese to send targeted phishing e-mails to bank or healthcare employees to enter financial institutions or hospitals. The attacks could possibly have financial motives or create chaos in the healthcare systems of the nation.
We’ve already seen the number of ransomware attacks on small governments creeping upward around the nation. Most of these systems are old and many have not kept up with patching intended to protect them from easy to exploit vulnerabilities. While it’s unclear if the Chinese might be interested in these systems, they certainly have to the information needed to attack.
Of course, these are all speculations. But the facts are there to suggest the Chinese are ready to play some pretty serious hardball when it comes time. Let’s just hope we’re ready.