U.S. Indicts Four Chinese Military Members Over 2017 Equifax Hack

U.S. Attorney General and Trump loyalist William Barr at a press conference on February 10, 2020
U.S. Attorney General and Trump loyalist William Barr at a press conference on February 10, 2020
Screenshot: YouTube

The U.S. Department of Justice has announced that four members of the Chinese military have been indicted for the 2017 hack of Equifax that compromised the data of at least 145 million people. The theft of social security numbers, addresses, and driver’s license information has been characterized as the largest consumer data hack in U.S. history.


The hackers allegedly exploited an unnamed vulnerability in a web portal used by Equifax for disputes to gain login credentials, according to a DOJ press release. The four defendants are all members of the People’s Liberation Army (PLA), identified as Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, by the indictment posted online.

The defendants are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. They’re also charged with two counts of unauthorized computer access and one count of economic espionage, as well as three counts of wire fraud.

The four defendants spent weeks running queries to figure out Equifax’s database structure and identify sensitive information, according to the DOJ.

“Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States,” according to the DOJ.

The hackers allegedly routed their traffic to “nearly 20 countries” to hide their location, according to the DOJ, and used encrypted communication channels in an effort to blend in with normal activity on Equifax’s network. The hackers also allegedly wiped log files on a daily basis to cover their tracks.

The indictments, announced by U.S. Attorney General William Barr in a press conference streamed online, are the first time that the U.S. government has formally accused China of being behind the Equifax hack.


“This was a deliberate and sweeping intrusion into the private information of the American people,” Barr said in a statement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”

At the press conference, Barr said that while the U.S. does its own intelligence collection around the world, it only does “legitimate” spying.


“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” Barr continued.

Three of the four alleged hackers in photos released by the U.S. Department of Justice
Three of the four alleged hackers in photos released by the U.S. Department of Justice
Image: U.S. DOJ

Barr fled the press conference after a journalist asked about President Donald Trump’s attorney Rudy Giuliani and his meddling in Ukraine to dig up dirt on Democratic presidential hopeful Joe Biden. Other DOJ officials were left to pick up the slack and finish the press conference.

This is only the second time in history that the U.S. has indicted Chinese military hackers. The Obama administration indicted five members of the PLA in 2014, including hackers “UglyGorilla” and “KandyGoo,” for hacking into companies like Westinghouse Electric and the United States Steel Corporation to allegedly steal trade secrets.


The U.S. and China do not have an extradition treaty, which means that it’s unlikely any of the four defendants indicted today will be arrested by American authorities.

Matt Novak is the editor of Gizmodo's Paleofuture blog


It’s good that this is happening, and I think it’s a useful exercise even if they’ll never see the inside of a US Courtroom.

But it is worth remembering that Equifax’s gross incompetence (including using “admin” as a password, and failing to keep their shit patched) was what made this hack possible, and they concealed it from the public for months, and one of their executives sold his stock before it was disclosed publicly, and none of those assholes has seen the inside of a US courtroom either.

Gathering this much PII without the (opt-in) consent of the people involved should be illegal, and it should impute a fiduciary responsibility on the company to safeguard that data, with mandatory disclosure and ruinous fines (based on a percentage of the company’s overall revenue) attached to any data breaches.

And none of that shit has happened either.

So while I’m glad we’ve identified the hackers and made it harder for them to operate covertly anymore, we definitely need to get our own house in order.