Transcript: William Barr & DOJ Charge Chinese Military Members in Equifax Breach

Attorney General Barr: (00:24)
I’m here to announce the indictment of Chinese military hackers, specifically four members of the Chinese People’s Liberation Army for breaking into the computer systems of the credit reporting agency, Equifax, and for stealing the sensitive personal information of nearly half of all American citizens, and also Equifax’s hard earned intellectual property. This was one of the largest data breaches in history. It came to light in the summer of 2017 when Equifax announced the theft. The scale of the theft was staggering. As alleged in the indictment, the hackers obtained the names, birth dates, and social security numbers of nearly 150 million Americans and the driver’s licenses of approximately, of at least 10 million Americans. This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans and imposed substantial costs and burdens on them as they had to take measures to protect themselves from identity theft.

As described in the indictment, the hackers broke into Equifax’s network through a vulnerability in the company’s dispute resolution system. Once in the network, the hackers spent weeks conducting reconnaissance, uploading malicious software and stealing login credentials, all to set up the stage to steal vast amounts of data from Equifax’s systems. While doing this, the hackers also stole Equifax’s trade secrets embodied by the compiled data and complex database designs used to store personal information. Those trade secrets were the product of decades of investment and hard work by the company.

Today’s announcement comes after two years of investigation. According to the nine count indictment handed down by the grand jury in Atlanta four members of the Chinese People Liberation Army are alleged to have conspired to hack Equifax’s computer systems and commit economic espionage. This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data. For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the Office of Personnel Management, the intrusion into Marriott Hotels and Anthem Health insurance companies, and now the wholesale theft of credit and other information from Equifax. This data has economic value, and these thefts can feed China’s development of artificial intelligence tools, as well as the creation of intelligence targeting packages.

In addition to the thefts of sensitive personal data, our cases reveal a pattern of state sponsored computer intrusions and thefts by China targeting trade secrets and confidential business information. Hacks by the group known as APT10, which worked in association with the Chinese Ministry of State Security, or MSS, to target managed service providers and their clients worldwide across industries, hacks by MSS intelligence officers who sought to steal intellectual property relating to turbofan engines by using both insiders and computer operations, and hacks by PLA officers who targeted victims in the nuclear power, metals and solar products industries for the economic benefit of Chinese companies.

Indeed about 80% of our economic espionage prosecutions have implicated the Chinese government, and about 60% of all trade secret theft cases in recent years involves some connection with China. We normally don’t bring criminal charges against members of another country’s military or intelligence services outside the United States. In general, traditional military and intelligence activity is a separate sphere of conduct that ought not be subject of the domestic criminal law. There are exceptions however. For instance, we have brought charges against intelligence officers operating undercover in the United States, and more recently we have charged state sponsored actors for computer intrusions in the United States for the purpose of intellectual property theft for the use of their private sector, including bank robbery and interference with our democratic elections. Like those cases, the deliberate indiscriminate theft of the vast amounts of sensitive personal data of civilians as occurred here cannot be countenanced.

The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decision makers have access to timely, accurate and insightful information. But we collect information only for legitimate national security purposes. We don’t indiscriminately violate the privacy of ordinary citizens. Today’s indictment would not have been possible without the hard work of a dedicated team of FBI agents and federal prosecutors in Atlanta and here in Washington DC. In addition, the department’s Office of International Affairs provided valuable assistance in working with other countries to secure evidence. And Equifax, Equifax’s cooperation throughout the investigation was critical to our development of this case. I’ll take a question before turning the floor over to others. Pierre.

Audience 1: (06:48)
Jim [inaudible 00:06:49]. Senator Graham says that Rudy Giuliani will be providing the department information on related to Ukraine and the Bidens. What is the process for receiving this information? Who will evaluate it? And is this something that you feel the need to recuse yourself from?

Well, as I’ve previously said, the DOJ has the obligation to have an open door to anybody who wishes to provide us information that they think is relevant. But as I did say to Senator Graham, and we have to be very careful in, with respect to any information coming from the Ukraine. There are a lot of agendas in the Ukraine. There are a lot of cross currents, and we can’t take anything we receive from the Ukraine at face value. And for that reason we had established an intake process in the field so that any information coming in about Ukraine could be carefully scrutinized by the department and its intelligence community partners so that we could assess its provenance and its credibility. And that is true for all information that comes to the department relating to the Ukraine, including anything Mr. Giuliani might provide.

Audience 1: (08:18)
Thank you.

Now let me introduce BJay Pak, the US Attorney for Atlanta who will take it from here. BJay.

BJ Pak: (08:34)
Thank you, Attorney General Barr. I would like to commend the federal agents of the FBI and also the prosecutors in the Department of Justice for their great work in this matter. And I want to emphasize the valuable cooperation that Equifax has provided. They’re the one that reported the intrusion to the law enforcement. And we took it from there. And they’ve been very, very helpful from throughout. I’d be happy to take any questions you may have.

Audience 2: (09:00)
Can you categorize the scale of this theft in terms of prosecutions the justice department has brought related to China? Is this the largest theft DOJ’s pending… this alleging that Chinese military hackers have committed?

BJ Pak: (09:18)
Well, I’ll refer back to the Attorney General’s statement that is one of the largest in terms of number of civilians’ information that’s been hacked. And the overall picture, I will defer to Assistant Attorney General Demers who will have a better picture about that.

Asst. Attorney General Demers: (09:33)
Sure. I can answer that. I guess it depends how you count, but in terms of the number of people’s information who was stolen, it may very well be the biggest that we have. IT’s certainly, as the agency said, one of the biggest. Obviously there’s a lot of different ways to count that data.

Audience 2: (09:48)
Question for…

Audience 3: (09:49)
And one more thing. I’m sorry to interrupt. [inaudible 00:09:52] I believe that you’re… Yeah.

Asst. Attorney General Demers: (09:54)
And then we can do questions after this. Yeah.

Audience 3: (09:56)
The Deputy Director has prepared [inaudible 00:09:59].

Deputy Director : (10:00)
All right, no problem.

Audience 3: (10:02)
Thank you.

Thank you. At the FBI, we’ve been saying for years that China will do anything it can to replace the United States as the world’s leading superpower. China is targeting our technology and our trade secrets, and it has been for some time. We know that. But as the Attorney General noted previously, this indictment is about more than targeting just an American business. It’s about the brazen theft of sensitive personal information of nearly 150 million Americans. This is the largest theft of sensitive PII by state sponsored hackers ever recorded.

This indictment is also a reminder that with their attacks on our economy, our cyber infrastructure and our citizens, China is one of the most significant threats to our national security today. I’m proud of our field office in Atlanta. And you see their special agent in charge up here, Chris Hacker, as well as the US Attorney BJay Pak from Atlanta. I’m proud of both our office and the US Attorney’s offices in Atlanta. These cases are tedious. They are technical. And they are difficult. And they take time. And the combination of those US attorneys as well as the FBI agents that participated is a valiant effort to get through a case of this impact.

SAC, Chris Hacker up here would be the first remind you that cases like this depend on the strength of our many partnerships. As I mentioned, Atlanta was supported certainly by our folks here in our cyber division and FBI headquarters by the US Attorney’s office in the Northern district of Georgia as previously mentioned, by the Department of Justice here, and by many other law enforcement and intelligence community partners here at home and in nearly 20 countries throughout the world. We’re thankful for this invaluable assistance they provided along the way. We also want to thank Equifax for their close collaboration with us throughout this process. I cannot overstate the importance of the victim company working closely with us after an intrusion like this.

This investigation started with minimal evidence, no more than 40 IP addresses for servers located throughout the world and a handful of malicious computer programs. The hackers tried to hide the origin and the location of the internet traffic by using servers around the world to infiltrate Equifax’s network, but their attempts to cover their tracks failed. We reviewed a ton of forensic data including network logs and forensic computer images, and we analyzed malware. And we obtained legal process to establish a digital footprint linking the hackers to the intrusion. That’s how we were able to trace this unprecedented hack back to the individuals who are named in today’s indictment. This is a testament to the hard work and determination of everyone involved in this investigation.

And we’ve seen so many breaches since 2017. You’ve seen many of them. And we’ve almost become, as a country, immune to these breaches. You get the notice in the mail or you hear about it in the news. You think, well, there goes my credit card number, my social security number, my bank account information, and you sign up for another year of free credit card monitoring information. We cannot think like that in this country. American businesses cannot be complacent about protecting their data and their intellectual property from our adversaries. And as American citizens, we cannot be complacent about protecting our sensitive personal data. We in law enforcement will not let hackers off the hook just because they’re halfway around the world. We’ve got to do everything we can to keep people safe, secure, and confident online.

That’s why we’re here today, years after this investigation began in 2017, calling out the Chinese government for its illegal activity. This is only the second time in our history that we’ve indicted Chinese military hackers. Some might wonder what good it does when these hackers are seemingly beyond our reach. We answer this question all the time. We can’t take them into custody, try them in a court of law and lock them up. Not today anyway. But one day these criminals will slip up, and when they do, we’ll be there. And we’ll keep putting pressure on these bad actors, making sure they understand the risks and the consequences of their actions. We’ll use out unique authorities, our experiences and our capabilities with the help of our partners both at home and abroad to fight this threat each and every day. And we continue to do so.

I want to make one very important point. Our concern is not with the Chinese people or with the Chinese American. It is with the Chinese government and the Chinese communist party. Confronting this threat effectively does not mean we should not do business with China, host Chinese business or Chinese students, welcome Chinese visitors or coexist with China as a country on the world stage. What it does mean is that when China violates our criminal laws and international norms, we will not tolerate it, and we will hold them accountable for it. We will protect our nation’s innovation and its ideas. And we will protect our citizens’ personal information. Thank you. Yes.

Audience 4: (15:52)
Quick question. Beyond the serious implications in terms of privacy concerns of millions of Americans, can you speak a little bit more about the national security implications of targeting potential, the DAG mentioned intelligence targeting by the Chinese, perhaps of government officials and other sensitive Americans.

Sure. I’m not going to get too deep into that, but I will say, look, if you can get PII of people, personally identifiable information, you can do a lot with that. That can be monetized. It can be used in many, many ways. It can be used for targeting packages for US government officials. That is certainly a possibility. We have not yet seen that in this case, to our knowledge. That doesn’t mean it will not happen in the future. And certainly, I think one thing that China recognizes very well is a healthy economy is tantamount to a healthy national security.

Audience 4: (16:47)
You said that some Americans are immune to this process. Our credit cards are stolen. They get a notice in the mail. What about the people that are panicking, that will panic when they hear this information? What should the average American do that’s thinking, oh my goodness, these guys could be up to more. They could be in China somewhere. God knows where they are right now. What’s your message to them?

My message to them is certainly they should know already because this was announced publicly, not the attribution, but the actual intrusion was announced publicly previously. That said, they should be in contact with their credit monitoring services. There are a number of things they can do. First of all, prevention of further attacks, I.e. spear phishing attacks. Do not open links. Do not open emails from untrusted servers. Two factor authentication as far as making sure that their data and their information is a hard target, and checking their credit scores on a fairly regular basis is a helpful step as well. I think they should go about their daily lives. They should not panic. But they should make sure that their data and their information is secure. Yes.

Audience 5: (18:01)
[inaudible 00:18:01] Is there evidence that this stolen information is already being used?

There is not at this time.

Audience 5: (18:10)
The question then is how is this different from the type of collection that the United States does all over the world, the type of collection that we do here in this country? And I guess follow up for you to the question we asked the Attorney General before he fled was, can you tell us what the FBI is doing with this Giuliani information? And how is it different from the way the FBI handled the Steele dossier and the information that came back?

Let me take that in two parts. In the second part, I want to be fair to the Attorney General. I don’t like the word fled for any Attorney General. First off, as far as what is… The magnitude of this attack is so important. You have roughly 320 million Americans. 145 million Americans lost sensitive PII. That does not sound like a targeted intelligence activity to me. That sounds like very broad collection. Secondly, I will stand on the Attorney General’s previous answer. Based on the information, look, we’re taking information as we would in any case. We will evaluate it appropriately.

Audience 6: (19:17)
You mentioned that American companies have to be vigilant, but in the case of Equifax, there was an alert that went out in March of ’17. It said you have a flaw in your software. And they did not update their software, and that flaw was used to take this data, so if Equifax had done the update that they were advised to do, would any of this data have been stolen?

I don’t know the answer, and I’ll leave that to the civil remedies that have been applied already. Last question.

Audience 7: (19:45)
Yeah, just a followup on Evan’s question there. Is the FBI investigating Joe or Hunter Biden at this point?

I’m not going to touch it. I’m not going to talk about any investigation as I never would. We do not talk about open investigations.

Audience 4: (19:58)
Thank you very much.

Transcript: William Barr & DOJ Charge Chinese Military Members in Equifax Breach

Other Related Transcripts

Stay updated.