The Justice Department announced charges Monday against four members of China’s military on suspicion of hacking into Equifax, one of the nation’s largest credit reporting agencies, and stealing trade secrets and the personal data of about 145 million Americans in 2017.
“This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William Barr said.
The charges underscored China’s quest to obtain the personal data of Americans and its willingness to flout a 2015 agreement with the United States to refrain from hacking and cyberattacks, all in an effort to expand economic power and influence.
The indictment suggests the hack was part of a series of major of big data thefts organized by the People’s Liberation Army and Chinese intelligence agencies. China can use caches of personal information and combine them with artificial intelligence to better target American intelligence officers and other officials, Barr said at a news conference announcing the charges.
The information stolen from Atlanta-based Equifax could reveal whether any American officials are under financial stress and thus susceptible to bribery or blackmail.
Though not as large as other major breaches, the attack on Equifax was far more severe. Hackers stole names, birth dates and Social Security numbers of nearly half of all Americans — data that can be used to access information like medical histories and bank accounts.
“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” Barr said in announcing the charges at the Justice Department, citing China’s theft of records in recent years from the government’s Office of Personnel Management, Marriott International and insurance company Anthem.
The biggest of those breaches was the theft in 2015 of roughly 22 million security clearance files from the government personnel office, which keeps track of federal employees and contractors.
It quickly became clear that that data was of significant value to the Chinese government: American officials with security clearances, including some of the most senior members of the government, had to reveal foreign contacts, relationships including extramarital affairs, their health history and information about their children and other family members.
The breach was so severe that the CIA had to cancel assignments for undercover officers planning to go to China; even though the CIA did not submit its employees’ information to the personnel office, those officials were often undercover as State Department or other American officials.
Then it got worse. Hacks into Anthem’s database and Starwood hotels — later taken over by Marriott — appeared to be orchestrated by the same or related Chinese groups. The United States assessed that China was building a vast database of who worked with whom in national security jobs, where they traveled and what their health histories were, according to American officials.
Over time, China can use the data sets to improve its artificial intelligence capabilities to the point where it can predict which Americans will be vulnerable for future grooming and recruitment, John Demers, head of the Justice Department’s National Security Division, said in an interview.
The charges marked only the second time that the Justice Department has indicted Chinese military officers on suspicions of hacking. In 2014, five Chinese military officers were indicted in data thefts from companies including U.S. Steel, a labor union and critical infrastructure.
The Justice Department rarely secures indictments against members of foreign militaries or intelligence services, in part to avoid retaliation against American troops and spies, but Barr said it has made exceptions for state-sponsored actors who hacked into U.S. networks to steal intellectual property or interfere in U.S. elections.
In 2015, President Barack Obama and President Xi Jinping of China agreed to rein in economically motivated cyberattacks, to cooperate with requests to investigate cybercrimes and to avoid targeting critical infrastructure in each other’s countries.
While the Justice Department does not believe that economic espionage was the primary goal of the Equifax hacking, Demers said that the attack could be seen as a violation of the spirit of that deal.
“China sees economic interests and intelligence interests as one and the same,” Demers said. “Commercial benefits are national security benefits in China.”
The indictment shows that beyond signing treaties and adopting certain conventions, the United States must also be willing to publicly identify and indict state actors in criminal cases, said Megan Brown, leader of the cyber and privacy practice at law firm Wiley Rein.
“This is how we will drive international norms — by indicting people, not solely by negotiating treaties and adopting conventions,” Brown said.
The nine-count indictment accused the Chinese military of hacking into the company’s computer networks, maintaining unauthorized access to them and stealing sensitive, personally identifiable information about Americans.
Months before the attack, the government warned Equifax that its network contained a vulnerability, but the company did not patch it, according to government documents. The hacking was “entirely preventable,” a congressional study concluded in 2018.
The defendants — Wu Zhiyong, Wang Qian, Xu Ke and Lui Le, all members of the People’s Liberation Army — exploited that weakness in May 2017 to break into the network and conduct weeks of surveillance and steal Equifax employee login credentials before filching the trade secrets and data. They masked their activity by using encrypted communications and routing their internet traffic through 34 servers in nearly 20 countries, including Switzerland and Singapore, according to prosecutors.
For the most part, they managed to erase their tracks inside of the Equifax network. But investigators eventually traced their activity back to two China-based servers that connected directly to Equifax.
Investigators identified the four indicted officers by reviewing forensic data, analyzing the malware used in the attack and establishing a digital footprint that linked them to the intrusion, David Bowdich, deputy director of the FBI, said at the news conference.
In the months after Equifax was hacked, security researchers concluded that criminals, not state actors, had siphoned information over a few months after gaining access to the network. That alone was enough to force the resignation of the company’s chief executive.
But that explanation appeared increasingly suspect over time because the Equifax data — like the information gleaned from the Office of Personnel Management — did not appear broadly for sale on the dark web, where illicitly obtained information is often sold for use in cybercrime.
Law enforcement officials have not yet found evidence that the Chinese government has used the data from the Equifax hacking, Bowdich said.
The company Monday reiterated the difficulty of warding off state-sponsored attacks. Companies often fall back on that explanation, and Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, pushed back after the indictment was made public.
“A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care — and face any consequences that arise from that failure,” he said in a statement.
The hackers’ encryption of their own operations inside Equifax’s networks is a common technique and raised new questions, cyber experts noted, about why such sensitive data in U.S. databases is not legally required to be encrypted. Many companies have resisted such regulation, in part because encrypted data can be harder for them to search too.
China has “pioneered an expansive approach to stealing innovation,” Christopher A. Wray, director of the FBI, said last week at a conference on the threats posed by China.
Wray said that China is racing to obtain information about sectors as diverse as agriculture and medicine to advance its economy, using a mix of legal means like company acquisitions and illicit acts like spying and cyberattacks.
“They’ve shown that they’re willing to steal their way up the economic ladder at our expense,” Wray said.
While the thefts present a national security risk, Americans have “almost become as a country immune to these breaches,” Bowdich said.
“You hear about it in the news and you think, ‘Well there goes my credit card number, my Social Security number, my bank account information,’ and you sign up for another year of free credit card monitoring information,” he said. “We cannot think like that in this country.”
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.