Report: Equifax attacks came from China; cybersecurity had rated a '0 out of 10' before 2017 hack

Click to download report (PDF)

Initial attacks that led to the massive theft of data Equifax data came from computers in China, a Congressional investigation has found. A 96-page report issued Monday by the House Oversight Committee also lists a litany of dramatic errors inside the firm that led to the hack -- many previously undisclosed.

An audit of Equifax's security in 2016, a year before the hack, rated it zero on a scale of zero to 10. The firm allowed roughly 300 software certificates to expire, including 79 required for monitoring business-critical domains, which prevented security software from catching the hack. Most critically, traffic analysis software, which would have spotted exfiltration of 148 million consumers' personal information, was non-functional for two years because its certificate had expired in 2015, the report found. This is just one of the major errors you can make in the fight against cyber crime, take a look at Upskilled.edu.au to find out what else to avoid at all costs.

Equifax's procedure for installing security patches on servers had been roundly criticized internally, and the firm didn't operate an effective inventory of systems. The server initially attacked by hackers was a legacy Sun Solaris server, and few employees knew how the system worked. Criminals jumped from the initial server and were ultimately able to access 50 different databases because the hackers discovered an unencrupted list of user names and padsswors for those databases.

Finally, the firm unfairly blamed a single employee for failing to patch a server in Congressional testimony, firing him the night before former CEO Richard Smith appeared before Congress.

The Committee reviewed over 122,000 pages of documents, conducted transcribed interviews with three former Equifax employees directly involved with IT, and met with numerous current and former Equifax employees, in addition to Mandiant, the forensic firm hired to conduct an investigation of the breach.

Equifax told Bloomberg the report, compiled by committee Republicans, had several inaccuracies but did not detail them.

"While we believe that factual errors serve to undermine the content of the report, that may or may not have been influenced by the use of privileged access management, we are generally supportive of many of the recommendations the committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas,” Equifax said in its statement.

Here are selected highlights from the report.

Equifax was unprepared for these risks. An August 2016 report by the financial index provider MSCI Inc. assigned Equifax’s data security efforts a rating of zero out of ten.

An internal security audit in 2015 found a series of structural security flaws. "Equifax did not remediate many of the issues identified in the 2015 audit prior to the 2017 breach. For example, the company had not implemented automated patching tools."

"A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals.

Equifax knew the Apache Struts vulnerability that was ultimately used to gain access to its systems was easy to exploit and critical to patch. Yet its plan for patching systems boiled down to mass emails. Inside the IT department, it was not clear who owned which servers -- something the report calls an "execution gap." Partly to blame: A apparent turf battle years earlier meant cybersecurity responsibilities fell under Equifax's legal team, rather than the Chief Information Officer, which is standard.

"A list of Equifax database owners did not exist. Therefore, Mandiant had to identify and verify database ownership before it was able to begin its analysis," the report said.

Equifax’s failure to patch a known critical vulnerability left its systems at risk for 145 days. Meanwhile, subsequent analysis showed that the system -- built on legacy Sun Solaris servers, was vulnerable to a host of other exploits, such as SQL injection attacks.

Use of the legacy system was a problem, because only a small number of employees knew how they really worked.

"One concern for Equifax’s continued use of legacy technologies and applications was the dwindling number of employees with knowledge of how to operate and maintain the aging system. According to (an employee), the company was “lucky that we still had the original developers of the system on staff.”

An automated check to scan for known vulnerabilities also failed because of the folder in which the software had been installed. "Equifax Security performed an open source component scan to identify any systems with a vulnerable version of Apache Struts. The scan did not identify any components utilizing an affected version of Apache Struts. Interim CSO Russ Ayres stated the scan missed identifying the vulnerability because the scan was run on the root directory, not the subdirectory where the Apache Struts was listed."

"Approximately 30 unique web shells were used to perform the attack," the report said. "According to Mandiant, file integrity monitoring could have discovered the creation of these web shells by detecting and alerting to potentially unauthorized network changes. Equifax did not have file integrity monitoring enabled on the ACIS system at the time of the attack."

"Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic."

"After updating the security certificate, Equifax employees identified suspicious traffic from an IP address originating in China."

"On July 30, Equifax identified several … vulnerabilities. Equifax noticed additional suspicious traffic from a second IP address owned by a German ISP, but leased to a Chinese provider."

"When the attack was finally discovered, the Equifax Countermeasures team detected a suspicious request from an IP address originating in China. The team analyzed the full suspicious packet and other recent requests. The server response for most of these recent requests contained more than 10 megabytes of data, and possibly contained image files related to credit investigations." NOTE: Of course, the attacking IP addresses being based in China is hardly conclusive proof that someone actually in China, let alone the Chinese government, was involved in this attack. But it is an intriguing detail.

tThrown under the bus

On October 2, 2017, Equifax terminated Graeme Payne, the Senior Vice President and CIO for Global Corporate Platforms tasked with managing the ACIS environment. Payne was a highly-rated Equifax employee for seven years prior to the data breach. Payne told the Committee he was called into a meeting with two human resources employees who advised him he was being terminated as a result of the incident investigation. When he pressed for more information about the investigation, human resources declined to provide any documentation for the investigation, but told Payne he failed to forward an email. On October 3, the day after Payne was terminated, former Equifax CEO Richard Smith testified before Congress and repeatedly mentioned an individual who had failed to act on a security warning. In his testimony before the House Energy and Commerce Committee, Smith made the following statements: “The human error was the individual who is responsible for communicating in the organization to apply the patch did not."