{"id":1254,"date":"2017-09-30T12:09:49","date_gmt":"2017-09-30T12:09:49","guid":{"rendered":"http:\/\/54.201.249.27\/?p=1254"},"modified":"2017-09-30T12:09:49","modified_gmt":"2017-09-30T12:09:49","slug":"equifax-breach-shows-signs-possible-state-sponsored-hack","status":"publish","type":"post","link":"https:\/\/blackopspartners.com\/equifax-breach-shows-signs-possible-state-sponsored-hack\/","title":{"rendered":"Equifax breach shows signs of a possible state-sponsored hack"},"content":{"rendered":"

Equifax breach shows signs of a possible state-sponsored hack.<\/h1>\n

In the corridors and break rooms of Equifax Inc.<\/a>‘s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren’t being disparaging, just darkly honest: Founded in the 19th century as a retail credit company, Equifax had over the years morphed into one of the largest repositories of Americans’ most sensitive financial data<\/a>, which the company sliced and diced and sold to banks and hedge funds. In short, the viability of Equifax and the security of its data were one and the same.<\/p>\n

<\/div>\n

Nike Zheng, a Chinese cybersecurity researcher from a bustling industrial center near Shanghai, probably knew little about Equifax or the value of the data pulsing through its servers when he exposed a flaw in popular backend software for web applications called Apache Struts. Information he provided to Apache, which published it along with a fix on March\u00a06, showed how the flaw could be used to steal data from any company using the software.<\/p>\n

<\/div>\n

The average American had no reason to notice Apache’s post but it caught the attention of the global hacking community. Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.<\/p>\n

Before long, hackers had penetrated Equifax. They may not have immediately grasped the value of their discovery, but, as the attack escalated<\/a> over the following months, that first group\u2014known as an entry crew\u2014handed off to a more sophisticated team of hackers. They homed in on a bounty of staggering scale: the financial data\u2014Social Security numbers, birth dates, addresses and more\u2014of\u00a0at least 143 million Americans<\/a>. By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax’s computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a\u00a0consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.<\/p>\n

<\/div>\n
<\/div>\n

The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack.\u00a0Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc.<\/a>\u00a0and the U.S. Office of Personnel Management<\/a>; both were ultimately attributed to hackers working for Chinese intelligence.<\/p>\n

<\/div>\n

Others involved in the investigation aren’t so sure, saying the evidence is inconclusive at best or points in other directions. One person briefed on the probe being conducted by the Federal Bureau of Investigation and U.S. intelligence agencies said that there is evidence that a nation-state may have played a role, but that it doesn’t point to China. The person declined to name the country involved because the details are classified. Mandiant<\/a>, the security consulting firm hired by Equifax to investigate the breach, said in a report distributed to Equifax clients on Sept. 19 that it didn’t have enough data to identify either the attackers or their country of origin.<\/p>\n

Wherever the digital trail ultimately leads, one thing is clear: The scant details about the breach so far released by Equifax\u2014besides angering millions of Americans\u2014omit some of the most important elements of the intrusion and what the company has since learned about the hackers’ tactics and motives. Bloomberg has reconstructed the chain of events through interviews with more than a dozen people familiar with twin probes being conducted by Equifax and U.S. law enforcement.<\/p>\n

In one of the most telling revelations, Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company’s network.\u00a0That rift, which appears to have squelched a broader look at weaknesses in the company’s security posture, looks to have given the intruders room to operate freely within the company’s network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax’s software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company’s grasp through the summer. In an e-mailed statement, an Equifax spokesperson said: \u201cWe have had a professional, highly valuable relationship with Mandiant. We have no comment on the Mandiant investigation at this time.\u201d<\/p>\n

The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company’s challenges may go still deeper. One U.S. government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company. \u201cWe have no evidence of malicious inside activity,\u201d the Equifax spokesperson said.\u00a0\u201cWe understand that law enforcement has an ongoing investigation.\u201d<\/p>\n

The nature of the attack makes it harder to pin on particular perpetrators than either the Anthem or OPM hacks, said four people briefed on the probe. The attackers avoided\u00a0using\u00a0tools that investigators\u00a0can use to fingerprint known groups. One of the tools used by the hackers\u2014China Chopper\u2014has a Chinese-language interface, but is also in use outside China, people familiar with the malware said.<\/p>\n

The impact of the Equifax breach will echo for years. Millions of consumers<\/a> will\u00a0live with the worry that the hackers\u2014either criminals or spies\u2014hold the keys to their financial identity, and could use them to do serious harm. The ramifications for Equifax and the larger credit reporting industry could be equally severe. The crisis has already claimed the scalp of Richard Smith, the chief executive officer. Meanwhile, the federal government has launched several probes, and the company has been hit with a flurry of lawsuits. “I think Equifax is going to pay or settle for an amount that has a ‘b’ in it,” says Erik Gordon, a University of Michigan business professor.<\/p>\n

\n
<\/div>
<\/figcaption><\/figure>\n

When Smith became Equifax CEO in 2005, the former General Electric Co. executive was underwhelmed by what he found. In a speech at the University of Georgia<\/a> last month, he described a stagnating credit reporting agency with a \u201cculture of tenure\u201d and \u201caverage talent.\u201d However, Smith also saw enormous potential because Equifax inhabited a uniquely lucrative niche in the modern global economy.<\/p>\n

In the speech, Smith explained that the company gets its data for free (because regular consumers hand it over to the banks when they apply for credit). Then, he said, the company crunches the data with the help of computer scientists and artificial intelligence and sells it back to the banks\u00a0that gave Equifax the data in the first place. The business generates a gross margin of about 90 percent. “That’s a pretty unique model,” Smith said.<\/p>\n

And one that he fully exploited. Smith acquired two dozen companies that have given Equifax new ways to package and sell data, while expanding operations to 25 countries and 10,000 employees. Business was good\u2014the company\u2019s stock price quadrupled under Smith\u2019s watch, before the breach was announced\u2014and its leaders lived well. Equifax executives<\/a> were prone to bragging about their mansions and expensive gadgets. They took lavish trips to Miami, where they stayed in luxury hotels costing as much as $1,000 a night. Last year, Smith’s compensation was almost $15 million.<\/p>\n

But the man who transformed Equifax was plagued each and every day by the fear that hackers would penetrate the company’s firewall and make off with the personal data of millions of people. By the time he gave the speech on Aug.\u00a017, Smith knew of the hack but the public didn’t. He told the audience the risk of a breach\u00a0was “my No. 1 worry” and lingered on the threats posed by spies and state-sponsored hackers.<\/p>\n

<\/div>\n

Not long after becoming CEO, he hired Tony Spinelli, a well-regarded cyber expert, to overhaul the company’s security. The new team rehearsed breach scenarios, which involved 24-hour crisis-management squads taking turns to address each given issue until it was resolved. Protocol included alerting the chief of security, who determined the severity of the breach, and then telling the executive leadership if a threat was considered serious.<\/p>\n

Apparently, gaps remained. After the breach became public in September, Steve VanWieren, a vice president of data quality who left Equifax in January 2012 after almost 15 years, wrote in a\u00a0post\u00a0on LinkedIn that “it bothered me how much access just about any employee had to the personally identifiable attributes. I would see printed credit files sitting near shredders, and I would hear people speaking about specific cases, speaking aloud consumer\u2019s personally identifiable information.”<\/p>\n

Spinelli left in 2013, followed less than a year later by his top deputy, Nick Nedostup. Many rank and file followed them out the door, and key positions were filled by people who were not well-known in the clubby cybersecurity industry. The company hired Susan Mauldin, a former security chief at First Data Corp., to run the global security team. Mauldin introduced herself to colleagues as a card-carrying member of the National Rifle Association, according to a person familiar with the changes.<\/p>\n

Two people who worked with Mauldin at Equifax say she seemed to be putting the right programs in place, or trying to. \u201cInternally, security was viewed as a bottleneck,\u201d\u00a0one person said. \u201cThere was a lot of pressure to get things done. Anything related to IT was supposed to go through security.” Mauldin couldn\u2019t be reached for comment.<\/p>\n