New court filings have revealed the Equifax hackers used a known but unpatched software vulnerability to infiltrate the company’s systems.
The US Justice Department has accused four Chinese military officers of conducting the attack, which saw the personal data of over 147 million Equifax customers stolen in 2017.
The credit reporting agency’s system remained compromised for a period of two months, during which the names and social security numbers of almost half the US were stolen.
The allegedly state-sponsored attackers evaded detection by passing their internet traffic through servers in nearly 20 countries, extracting data in compressed files and wiping computer logs.
Unlike other incidents of this kind, the Equifax hackers didn’t leave as much as a fingerprint in the system. This allowed them to evade detection for an extended period and made identifying the culprits extremely difficult for investigators.
Rather than re-routing to infected domains to spread malware, the hackers directly connected malicious code to a server, allowing them to scrape data from the network remotely.
The group also used a series of perfectly kosher administration tools, including encrypted communication channels, which allowed them to pose as normal network participants. They also swept up data that might expose them on a daily basis.
The FBI eventually unpicked the complex web of re-directs and cloaking techniques to identify the four individuals responsible, though the Chinese government denies involvement.
Timo Steffens, formerly of the Justice Department, described the hackers’ methods as “the modern version of changing your identity and growing a beard and colouring your hair.”
“There were times when we thought we had a lead outside China, hemispheres away, and it required chasing all that down,” he added.
Equifax reached an agreement with US regulators in July, which will see it pay out up to $700 million (and at least $575 million). This remains the largest penalty ever issued for a data breach.