Equifax sources say that the massive breach of 140,000,000 Americans' personal information was the result of state-sponsored hackers, likely from China, but attribution is hard and inexact.
One thing we can attribute the breach to, though, is bungling. Equifax and Mandiant — its independent security contractor — got into "a squabble" just as the hackers were breaking into Equifax's systems, and by the time everything had been smoothed over, the attackers had installed 30 web-shells in Equifax's systems, any one of which would allow attackers to have free run of Equifax's data.
In the years preceding the breach, then-Equifax CEO Richard Smith (who quit last week, pocketing $90,000,000 on his way out the door) went on an acquisition spree in a bid to rapidly grow the company's bottom line. He purchased "two dozen companies that have given Equifax new ways to package and sell data, while expanding operations to 25 countries and 10,000 employees," and quadrupled the company's share price.
At the same time, the company's ability to manage the unimaginable mountains of compromising personally identifying information it had coerced, for free, from the American public was in crisis. Employees routinely mishandled sensitive information, and the security team at Equifax was sidelined as the company struggled with the IT challenges of integrating dozens of data-mining acquisitions who demanded unfettered access to the company's databases.
Although the hackers inside Equifax were able to evade detection for months, once the hack was discovered on July 29, investigators quickly reconstructed their movements down to the individual commands they used. The company's suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network's internal communications and data traffic. Using Moloch, investigators reconstructed every step.
Once the hackers found the vulnerability Zheng reported, they installed a simple backdoor known as a web shell. It didn't matter if Equifax fixed the vulnerability after that. The hackers had an invisible portal into the company's network. The Moloch data suggests the initial group of hackers struggled to jump through internal roadblocks like firewalls and security policies, but that changed once the advanced team took over. Those intruders used special tunneling tools to slide around firewalls, analyzing and cracking one database after the next—while stockpiling data on the company's own storage systems.
Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value.
The Equifax Hack Has the Hallmarks of State-Sponsored Pros
[Michael Riley, Jordan Robertson and Anita Sharpe/Bloomberg]