
Chinese military personnel charged for hacking into Equifax - jayess
https://www.justice.gov/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking
======
tzs
This kind of charging of specific foreign military or intelligence personnel
for hacking US institutions is somewhat controversial in the US intelligence
community [1].

Their worry is that foreign countries will eventually retaliate by charging
people who are involved in US government programs to hack those foreign
countries.

Another worry is that indicting people might give away information information
about your sources and methods.

[1] [https://www.mcclatchydc.com/news/nation-
world/national/natio...](https://www.mcclatchydc.com/news/nation-
world/national/national-security/article205363554.html)

~~~
dontbenebby
>Their worry is that foreign countries will eventually retaliate by charging
people who are involved in US government programs to hack those foreign
countries.

How are non "cyber" crimes handled? Is it normal to charge people for the
murders, thefts, and other illegal activities intelligence officers perform?

I'm not going to make a moral judgement here, I'll just say that I'm not a fan
of treating "cyber" as some magical realm where there are no norms.

~~~
mcny
> I'm not going to make a moral judgement here, I'll just say that I'm not a
> fan of treating "cyber" as some magical realm where there are no norms.

On the contrary, I think we are pulling in too many assumptions into "cyber".
Imagine this: if someone had left their door unlocked and someone came in and
stole their lawn mower, you could say they deprived the owner of use of their
lawn mower. However, imagine if equifax removed [authorize] in an http
endpoint like /v2/person/:id allowing anyone to just GET /v2/person/1 ..
999999999 consecutively. Is this a criminal matter? I'd say no. I'd go further
and say that this "cyber" fearmongering has gone too far and we should ABOLISH
the CFAA. The EFF has still laid their hopes on reform but I for one think it
is irredeemable and must be abolished with no replacement.

~~~
dak1
Just to play devil's advocate: If an armored Brinks truck gets in an accident
and cash spills all over, it's not legal to take just because it's no longer
protected and on public land.

Intent has to matter a lot in these cases, though.

If a bill blows a mile away and somebody happens to find it with no knowledge
of the crash, that's qualitatively different than witnessing the accident and
then rushing to grab the money you watched spill out.

~~~
uranium235
Just to be practical: the internet is not a magical place just one where
anonymity is so practical that one can not justify a figurative brink truck
failing. Moreover, it's absolutely unacceptable for institutions like Equifax
to fail given the importance of identity security and the apparent lack of (or
unwillingness to consider) alternatives to the social security number such as
PKI; PGP for example. If you've ever seen a bitcoin paper wallet with QR codes
printed on it you'll know what I'm talking about. I don't care if it's Apache
Struts or PHP + mySQL they should have tested to the point of impossibility of
intrusion. I think it's also reasonable to assume that the government is full
of shit, and the most likely scenario is that these people in China admitted
this to the government because they wanted us to know that they did it. If
anything they're doing us a favor, but I still think the real solution to the
problem is to stop relying so heavily on pseudo-secret identities like the
social security number and to at least offer people an alternative means that
uses cryptography at least for the people who care about doing things right
and taking responsibility for their own security since the government can only
make fraudulent guarantees that we're ever going to be safe.

Maybe I'm wrong about this, but I'm pretty damn sure if you use tor the right
way they're not ever going to find you unless you give yourself away some
other way.

~~~
azernik
Just because the proverbial armored car company and/or driver was negligent,
doesn't mean the thief is innocent.

~~~
uranium235
no for sure, stealing is a dick thing to do. But I like to keep my
expectations reasonable. Can I reasonably expect to carelessly leave my phone
at a table in a place where crime is known to happen when I know better?

------
Jerry2
From the article:

> _The nine-count indictment alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu
> Ke(许可) and Liu Lei (刘磊) were members of the PLA’s 54th Research Institute, a
> component of the Chinese military._

How were they identified exactly? I'm always fascinated with these DOJ
indictments of foreign state actors but I'm always left wondering how they
managed to narrow it down to a small group of people. I'm guessing that "PLA’s
54th Research Institute" employs thousands of people so how does the FBI/DOJ
identify the culprits so precisely? Is it through CIA/NSA spying and moles
inside the PLA?

You don't see foreign governments identifying individual NSA employees when
the NSA hacks into something... so how does the DOJ do it?

~~~
Seenso
> How were they identified exactly? I'm always fascinated with these DOJ
> indictments of foreign state actors but I'm always left wondering how they
> managed to narrow it down to a small group of people.

My guess is they counter-hacked the PLA’s 54th Research Institute to identify
the culprits, then used parallel construction for the indictment.

IIRC, the public intelligence report on the Russian 2016 election influence
campaign revealed that the US had counter-hacked some of the Russian groups
involved, and used the information gained from that as evidence to attribute
the overall campaign to the Russians.

~~~
jessaustin
They've just named some names. These people might be associated with that
"institute", but they're just as likely to be custodians or secretaries as
hackers.

~~~
seppin
You didn't read the previous GRU indictments very closely. They got actual
surveillance footage of individuals in the building.

~~~
jessaustin
On the "surveillance footage", were they mopping and sweeping? I wonder
whether such "footage" constitutes _prima facie_ evidence for an indictment
going the opposite direction...

~~~
seppin
I remember your user name, you popped up in another thread about US/China,
talked baseless anti-US conspiracies then left. Is there a reason you spend
time out of your day to do this?

------
interlocutor
I am still waiting for Equifax leaders to be charged for their negligence.
They failed to keep their software up-to-date [1], while storing sensitive
information about millions of US citizens.

[1] [https://techbeacon.com/security/why-equifax-breach-should-
ne...](https://techbeacon.com/security/why-equifax-breach-should-never-have-
happened)

~~~
kortilla
Wait until you find out nearly every company with sensitive documents has
pieces of software that are out of date.

~~~
noobermin
That makes things worse but should absolve no one of responsibility.

------
sebastianconcpt
_According to the indictment, the defendants exploited a vulnerability in the
Apache Struts Web Framework software used by Equifax’s online dispute portal.
They used this access to conduct reconnaissance of Equifax’s online dispute
portal and to obtain login credentials that could be used to further navigate
Equifax’s network. The defendants spent several weeks running queries to
identify Equifax’s database structure and searching for sensitive, personally
identifiable information within Equifax’s system. Once they accessed files of
interest, the conspirators then stored the stolen information in temporary
output files, compressed and divided the files, and ultimately were able to
download and exfiltrate the data from Equifax’s network to computers outside
the United States. In total, the attackers ran approximately 9,000 queries on
Equifax’s system, obtaining names, birth dates and social security numbers for
nearly half of all American citizens._

------
xivzgrev
Holy shit did not see that coming. Was sure it was some hackers out looking to
sell info on dark web. Chinese government gives it a whole different
motivation.

~~~
Spooky23
It shouldn't be a surpise.

The US has essentially on omnipotent traditional military force that can
either engage or assure mutual destruction of any opponent on the earth.
Nobody can compete successfully. But humans are crafty, and come up with ways
to defeat irresistible force.

As we've seen predicted for 20+ years and demonstrated in the public space for
10, our nation's weakest link is that election system and political finance
system, particularly for legislators. The checks and balances that are
supposed to prevent egregious behavior are broken (see what happened to most
US Attorneys since 2016, the impeachment circus, and 100 other things at the
state/local level).

Building dossiers on Americans are a great, obvious way to wield this power
and to target and enable espionage/influence activity. Recall that the federal
agency that keeps records on background checks was breached a couple of years
ago. So now you have a hostile nation state that knows everyone, and all of
their background data, with security clearances. You can cross-walk that with
Equifax information, health insurance breaches (Recall that Blue Cross was
also breached), etc and do all sorts of interesting things.

~~~
ianleeclark
> The US has essentially on omnipotent traditional military force that can
> either engage or assure mutual destruction of any opponent on the earth.
> Nobody can compete successfully.

How many times in the past two years have our boats crashed into one another?
The F35 program is a complete failure. When we ran Hormuzi wargames, a rag-tag
group that fought through guerilla warfare won until our Navy cried and made
the other side "fight fair." In the past 80 years the only win we can claim is
the Gulf War. This is seriously overstating our military capabilities.

~~~
jvanderbot
But, a war with China (direct conflict) would be the Naval set-piece battle
the US has been dreaming of for decades. Much like how Iraq was the combined
arms showcase dreamed of post Cold War. US has struggled at asymmetric combat
against regional bad actors, as evidenced nearly everywhere, but your
assertion that somehow China would be able to leverage that type of
warfighting when their O&G infrastructure and major threat projection airbases
are on islands or near shore does not compute. It would be ugly, not
straightforward, not "Iraq on water" ... but it would be much different than
wargames in geographically tight confines with limited rules of engagement.
The US and allies still do hold the Pacific mostly as their own backyard, and
that would need to change to tip the balance toward China.

~~~
ianleeclark
> your assertion that somehow China would be able to leverage that type of
> warfighting

I'm not saying that, I'm that the entirety of the US military is incompetent
and pumped too full of cash (despite its many failures) that's it's ridiculous
to act like no one can compete.

> The US and allies

I know we like to take our satellite states for granted, but that day will
come to an end and it seems likely that taking real action against China could
be the catalyst.

~~~
jvanderbot
I hear you and I see the consistency of your arguments, and acknowledge
development and production failures and large budgets, but disagree it implies
incompetence across the board.

------
tvanantwerp
I think criminal charges against specific government hackers will probably
become the norm, since no power is likely to stop hacking other powers yet no
powers are too keen to start a war over it. If you're a government hacker, I
wouldn't plan on taking any overseas vacations for the rest of your life.

------
sschueller
Wasn't Equifax the one that had admin/admin as password and leaked most of its
data because of complete incompetence?

~~~
Someone1234
Most security breaches are because of incompetence (typically
management/oversight, rather than technical).

Equifax didn't have good oversight of which systems were patched and instead
relied on a single employee to remember to do it. One got forgotten. People
broke in using an old exploit and then leveraged into Equifax's network.

Equifax's first problem was bad patch policy. Its second problem was lack of
network isolation/intranet security/onion-ing. As soon as an edge server was
compromised the attacker hit the jackpot and had everything.

The last problem was lack of audit/accountable into who/what was accessing
sensitive data on the intranet. If they had that they still would have been
compromised and lost data, but not every customer's record (which took a long
time).

~~~
uranium235
yes people are unreliable that's why we need a more resilient means to
establish identity like PKI. Consider PGP for example, they could put QR codes
on social security cards for all I care just fix the real problem for once.

------
throwaway_tech
The US needs to treat this as an act of war by a foreign military/government,
not as a criminal act by people acting in an individual capacity.

If the US can identify the individual hackers, then they should be able to
identify the physical location from which the military committed the acts of
war and respond with the use of force as permitted by the UN Charter and
international laws and norms. By responding with grand jury indictments the US
sets a terrible and dangerous precedent and is telling foreign governments the
US will not do anything in response to military based acts of cyber warfare.

~~~
arminiusreturns
Techthroway's that have never experienced war and don't study international
relations and geopolitics should stop suggesting bullshit like this. I get so
tired of people advocating more aggressive stances with other nations when
it's not their ass or their offsprings that will go to war. This is also why I
advocate that next war all the politicians sons and daughters get drafted and
then we can see if they still want to go to war.

Oh wait, the congress abdicated it's constitutional duty to be responsible for
declaring war via the unconstitutional War Powers Act and AUMF's...

~~~
allovernow
I'm not pro war but at the other end of the spectrum, appeasement in Europe
allegedly gave us WWII.

~~~
jessaustin
There is no sense of the word "appeasement" that includes the Treaty of
Versailles. USA entering WWI and allowing UK and France to win decisively was
what caused WWII.

Because apparently it must be said, I am not a "Nazi sympathizer". I would
have preferred that the Nazis had never existed let alone dominated a large
portion of Europe. Similarly, it would have been better had we not invaded
Iraq and caused ISIS to exist.

------
jayess
The indictment is linked at the bottom of the page and has interesting
technical details.

Even more interesting is the question of how the named individuals were
identified, which is not addressed in the indictment. The indictment also
includes photos of three of the people indicted. This comes across as a shot
across the bow to show China that the US govt can identify the individual
people doing these things.

~~~
dx87
Yep, they even say that in the link.

"Today, we hold PLA hackers accountable for their criminal actions, and we
remind the Chinese government that we have the capability to remove the
Internet’s cloak of anonymity and find the hackers that nation repeatedly
deploys against us."

~~~
ISL
If this ever goes to trial, the defense-discovery of how it was done will be
interesting.

~~~
bitxbitxbitcoin
Unless they use parallel reconstructionism to keep their (probably Tor)
deanonymizing skillset on the down low.

~~~
ISL
If the prosecutors were to do so knowingly, the prosecutors would be breaking
their oath to the Constitution (and simultaneously obliterating their
case/perhaps committing crimes of their own).

~~~
LunaSea
Like that hasn't happened before with no consequences when investigative
forces were handed a cool new toy.

------
cfv
This is nuts.

a) They are charged with conspiring _with each other_ to this, but
simultaneously b) "fits a disturbing and unacceptable pattern of state-
sponsored computer intrusions", and in the process they managed to commit c)
"conspiracy to commit wire fraud"

None of those 3 things make any sense in the face of the others. How is doing
this kind of things even legal?

~~~
nexuist
The US has no jurisdiction to arrest Chinese soldiers on Chinese land. How
could it be illegal? They would become prisoners of war in a war that doesn't
legally exist.

------
alephnan
I remember a opinion piece claiming hackers might have piercings, tattoos,
neon colored hair, which doesn’t jive well with (U.S.) government agencies
where people wear suits.

I’m curious if there is concrete data breaking down whether recruiting for
cyber security roles in the public sector is constrained by culture,
compensation or something else.

~~~
madamelic
Both.

I worked in the US federal gov't during college and was casually asked if I
would consider coming on after college.

If I remember right, fresh college grad compscis would make about $50k / year.

The General Schedule caps out at a GS-15 with a yearly salary of $142k which
is basically how much SV will pay a fresh grad.

It makes no financial sense for any CS grad to get a job in the federal
government.

You can either _maybe_ make $142k / yr in 20 - 30 years or $200k / yr in about
5 years.

~~~
dsfyu404ed
Nobody who runs the bay area rat race gets to be root on other countries
computer systems and have an easy commute through semi-rural Georgia. There's
definitely a group of people to whom the life that comes with a government job
is attractive.

~~~
madamelic
Totally, but the question becomes what caliber of scientist that is
attracting.

I guess someone could work for a pittance for a few years then leverage an NSA
position for absurdly higher pay at a government contractor doing the same
thing.

------
tempotemporary
> They routed traffic through approximately 34 servers located in nearly 20
> countries to obfuscate their true location, used encrypted communication
> channels within Equifax’s network to blend in with normal network activity

How cool is that. They have been able to grab and correlate netflow from
across _20 countries_.

~~~
dclusin
It looks like they’re using the common meaning of routing and are implying
tunneling instead actual route hijacking. So finding which servers they’re
tunneling to is thorough but doesn’t seem all that impressive.

~~~
ed_balls
Did they want to get find then?

------
blunte
The problem with being a political "hack" and repeatedly lying is that it
creates doubt when you might be telling the truth. With William Barr's name on
this, it is weaker.

------
exabrial
I don't really consider this a "hack", I mean Equifax left the door wide open.

~~~
sdinsn
Strange how many people on HN try to downplay hacking whenever China is
involved...

------
kazinator
> _The defendants are charged with three counts of conspiracy to commit
> computer fraud._

It's almost literally the job description of military personnel to conspire to
cause mayhem abroad.

~~~
JoeAltmaier
...when at war. Otherwise its a serious breach. A military person who commits
murder outside their mandate, is a criminal.

~~~
FDSGSG
Is it a serious breach when both sides are doing this? We know very well that
the US does this.

~~~
JoeAltmaier
When discovered. Its like a spy being arrested - always an embarrassment,
usually leveraged to get some concession.

------
hatenberg
Hacking. More like shooting fish in a barrel with what we know today

~~~
pgrote
The CISO of Equifax assured a reporter it was possible it still could have
happened even when patched.

"The Equifax security chief noted that the company continues to fend off
attempted cyberattacks every day, and expects hacks to escalate in the future.
He said that given how dedicated the Chinese military hackers were, a breach
could still have happened even if the vulnerability had been patched. "They're
extraordinarily sophisticated," Farshchi said in an interview. "I would say
that it's possible.""

[https://www.cnet.com/news/justice-department-charges-
chinese...](https://www.cnet.com/news/justice-department-charges-chinese-
nationals-over-equifax-hack/)

Good to see they are confident.

------
lowdose
It's all about timing with public relation messages.

------
chvid
Isn't this one of those cases that is never going to court?

Similarly to the Russian military intelligence officers that were indicted in
the Muller investigations?

------
qiguai
Well when China takes over the US, and they implement their personal credit
score here, they'll already have the profiles for the database!

------
president
Can anyone comment on what kind of damage the Chinese might be able to do with
this type of data on American citizens?

~~~
alwayseasy
1/ Cross-reference their Equifax data with the OPM database they stole, and
use it to identify American NOC operatives entering China (or their sphere of
influence, or countries who's border system they've pwned) and place them
under surveillance from the start.

2/ Create a score of potential recruit-ability based on people's credit
history, target them once they enter a field they're interested in.

------
stjohnswarts
And nothing will happen because no one in the US government has the cajones to
do anything about it.

------
fqye
Just curious. How much faith do Americans have in current DOJ’s credibility
after the whole Trump impeachment show and Barr’s political driven handling of
Muller report? To me I believe the current DOJ can make political allegations
with very weak evidence or even with no evidence at all. I am sure China would
say show us the evidence and we all know it’s not gonna happen.

------
leptoniscool
I wonder what Snowden thinks?

~~~
uranium235
He probably thinks wow why is it that nobody ever considers that this problem
would go away if we just came up with a better system for identity, such as
how PGP works.

~~~
dontbenebby
Please feel free to illuminate for me how PGP would have prevented the Equifax
breach, since I'm failing to connect the dots

~~~
uranium235
well not using PGP specifically, but imagine having a social security card
with two QR codes on it in addition to your social security number. one of the
QR codes contains a private key and the other a public key. The financial
institutions and credit reporting agencies can freely access your public key
and it's safe to give away. You can make signatures with your private key when
it's scanned at a bank or on a phone and the signatures can be verified to be
correct by your publicly available public key.

I like the idea better of making additional keypairs that have a chain of
signatures back to your social security card so that you don't have to rely on
it as much. It seems to me there's a lot of things that could be very workable
as far as this is concern, but just to be clear I just like to use PGP as an
analogy to a system that could work.

~~~
dontbenebby
That sounds like a very important key. I'm not discounting the technical
merits of your proposal, but I'd worry it'd be very hard to secure the
infrastructure used to create, update, and track those keys.

(This is the same logic many use for opposing backdooring encryption, since
often it boils down to key escrow)

------
swiley
It doesn’t matter at all _who_ “hacked” it, these companies are committing
slander against Americans and facilitating fraud en mass.

The model itself is fundamentally flawed and this hack won’t be the last or
the worst.

~~~
duxup
I think it does matter who and we can in fact take issue with both who hacked
it and the companies business methods.

~~~
swiley
Meh, the “hack” is a symptom of a broken credit model. If you fix the
fundamental problem then it makes it harder for bad actors to create problems
like this (no matter what the intention is.)

Bothering with the international politics is a waste of valuable time and
energy and will probably just hurt people.

~~~
duxup
The information is out there credit model or not.

------
uranium235
would just like to merely point out that we could use public key cryptography
to solve the problem of identity theft.

~~~
majos
I'm curious, if you think that this big problem has a simple solution, why do
you think that the solution has not been widely adopted?

~~~
uranium235
I can only speculate but I've given _a lot_ of thought to this problem and:

1\. nobody has suggested it as an alternative; nobody wants to completely get
rid of the system we have now. PKI requires electronics to create and verify
signatures created with the keypairs.

2\. Because financial institutions do not care and it's not their prerogative.
The social security administration is not responsible for people's credit
reports and as far as their concerned their is no problem.

3\. People are afraid to try new things and new technology and it's up to the
government to see that it's done correctly. Theoretically a problem could
arise from somebody making a business out of "keeping track of your private
key for you" which negates the purpose entirely.

4\. People are lazy, and not everybody cares and doesn't necessarily speak to
the benefit of people who don't care about their credit or their identity
which is why I say it should be an option.

5\. If cryptography fails, then the whole thing is pointless. But, I think
most people will agree if cryptography fails we will have much bigger
problems.

The solution I have in mind is similar to what I've seen with "paper bitcoin
wallets" where you have two QR codes: a public and a private key. Imagine a
social security card with two QR codes. When you create a bank account, or
when you get a state id or something you can get another set of qr codes, that
have a record of signatures provided by a state department's private key or
that of a financial institution along with a signature provided by your social
security card. With your new set you can safely put away your social security
card. The idea being, signatures can represent business and billing agreements
as well as establishing an identity chain similar to how PGP's web of trust
works. Anyone can have your public key, you just have to keep your private
keys safe. Even if somehow you stupidly manage to screw this up, it's not that
hard to start over. People lose social security cards now and they have to be
re-issued. They just have to come up with the system for it and start doing
it.

------
krak12
Business as usual with Chinese, hope you consider an proper act of aggression

~~~
president
*Chinese government

------
apotatopot
and then everyone gives away daily info in tik tok like its no big deal, but
the chinese govt has everything they need now lol.

------
papreclip
Amazed to see the US attribute anything to China instead of the usual
transparent lie that North Korea was responsible

------
KaoruAoiShiho
If true this is a giant failure of Chinese intelligence. It just shows how far
ahead the US is that they're able to charge specific people. The PLA needs to
upgrade its capabilities if they don't want to stay an embarassment.

~~~
FDSGSG
We wouldn't know if China, Russia or whoever could identify specific US
operators, only the US plays silly indictment games like this.

~~~
president
Why is indicting foreign nationals for hacking American citizens' data
"silly"?

~~~
siv-
It doesn't achieve much, it increases the risk of revealing methods and
sources. It also puts US cyber security personnel at greater risk, some of
whom have spoken out against the practice.

