The US Department of Justice has charged four members of the Chinese military over the massive 2017 cyber-attack on credit reporting agency Equifax.
A federal grand jury in Atlanta returned a nine-count indictment last week against Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei - all members of the Chinese People's Liberation Army's 54th Research Institute.
They allegedly conspired with each other to hack into Equifax’s computer networks in 2017 and steal sensitive, personally identifiable information of approximately 145 million American victims.
According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal.
The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information, eventually obtaining names, birth dates and social security numbers for nearly half of all American citizens.
The four are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. In addition they are charged with two counts of unauthorised access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
Attorney General William Barr says: “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.
"Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information."