Tag: charged

Three Individuals Charged for Alleged Roles in Twitter Hack


The Northern District of California, U.S. Attorney’s Office has announced on Friday that three individuals have been charged today for their alleged roles in the Twitter hack that occurred on July 15, 2020.

Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom, was charged in a criminal complaint in the Northern District of California with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.

Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida, was charged in a criminal complaint in the Northern District of California with aiding and abetting the intentional access of a protected computer.

The third defendant is a juvenile.  With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile.  Pursuant to the Federal Juvenile Delinquency Act, the Justice Department has referred the individual to the State Attorney for the 13th Judicial District in Tampa, Florida.

Twitter Hack Charging Announcement – Northern District of California, U.S. Attorney’s Office

“The hackers allegedly compromised over 100 social media accounts and scammed both the account users and others who sent money based on their fraudulent solicitations,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.  “The rapid investigation of this conduct is a testament to the expertise of our investigators, our commitment to responding quickly to cyber-attacks, and the close relationships we have built with law enforcement partners throughout the world.”

 “There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” said U.S. Attorney David L. Anderson for the Northern District of California.  “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived.  Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it.  In particular, I want to say to would-be offenders, break the law, and we will find you.”

“Upon opening an investigation into this attack, our investigators worked quickly to determine who was responsible and to locate those individuals,” said San Francisco FBI Special Agent in Charge John F. Bennett. “While investigations into cyber breaches can sometimes take years, our investigators were able to bring these hackers into custody in a matter of weeks. Regardless of how long it takes us to identify hackers, we will follow the evidence to where it leads us and ultimately hold those responsible for cyber intrusions accountable for their actions. Cyber criminals will not find sanctuary behind their keyboards.”

“Weeks ago, one of the world’s most prolific social media platforms came under attack.  Various political leaders, celebrities, and influencers were virtually held hostage as their accounts were hacked,” said Kelly R. Jackson, IRS-Criminal Investigation (IRS-CI) Special Agent in Charge of the Washington D.C. Field Office.  “The public was confused, and everyone wanted answers.  We can now start answering those questions thanks to the work of IRS-CI cyber-crime experts and our law enforcement partners. Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers. This case serves as a great example of how following the money, international collaboration, and public-private partnerships can work to successfully take down a perceived anonymous criminal enterprise. Regardless of the illicit scheme, and whether the proceeds are virtual or tangible, IRS-CI will continue to follow the money and unravel complex financial transactions.”

“Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity,” said Thomas Edwards, Special Agent in Charge, U.S. Secret Service, San Francisco Field Office. “The Secret Service remains committed to pursuing those responsible for cyber-enabled fraud and will continue to hold cyber criminals accountable for their actions.  This investigation is a testament to the strong partnerships between the Secret Service, the U.S. Attorney’s Office, the FBI, the IRS, as well as our state, local and international law enforcement partners.”

“Our identities and reputations are sacred. We will continue to aggressively defend and protect individuals, companies, and other entities from new-age cyber-fraud, especially those who scheme to hack, defraud and wreak havoc on U.S. citizens across the country,” said Caroline O’Brien Buster, Special Agent in Charge, U.S. Secret Service, Orlando Field Office. “The Secret Service believes that building trusted partnerships between the private sector and all levels of law enforcement is the proven model for success. I commend the exceptional work conducted by our law enforcement partners and the U.S. Attorney’s Office who worked diligently to hold these defendants accountable.”

As alleged in the complaints, the Twitter attack consisted of a combination of technical breaches and social engineering.  The result of the Twitter hack was the compromise of approximately 130 Twitter accounts pertaining to politicians, celebrities, and musicians.

The hackers are alleged to have created a scam bitcoin account, to have hacked into Twitter VIP accounts, to have sent solicitations from the Twitter VIP accounts with a false promise to double any bitcoin deposits made to the scam account, and then to have stolen the bitcoin that victims deposited into the scam account.  As alleged in the complaints, the scam bitcoin account received more than 400 transfers worth more than $100,000. 

This case is being investigated by the FBI’s San Francisco Division, with assistance from the IRS-Criminal Investigation Cyber Unit; the U.S. Secret Service, San Francisco and Headquarters; the Santa Clara County Sheriff’s Office and their REACT task force and the Florida Department of Law Enforcement.

The case is being prosecuted by Senior Counsel Adrienne Rose of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys William Frentzen and Andrew Dawson of the Northern District of California.

Additional assistance has been provided by the U.S. Attorney’s Office for the Middle District of Florida; the State Attorney for the 13th Judicial District in Tampa, Florida; the Criminal Division’s Office of International Affairs and Organized Crime and Gang Section; the United Kingdom’s Central Authority and National Crime Agency; Chainalysis and Excygent.

The allegations of a criminal complaint are merely an allegation.  All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Blogs to Follow:

Justice.gov (July 2020) Three Individuals Charged for Alleged Roles in Twitter Hack

U.S. Army Soldier Charged with Terrorism Offenses for Planning Deadly Ambush on Service Members in His Unit


U.S. Army Private Ethan Melzer Sent Sensitive U.S. Military Information to Members of a Neo-Nazi Group in an Attempt to Facilitate a “Mass Casualty” Attack on Melzer’s Army Unit

The Department of Justice announced today the unsealing of an indictment charging Ethan Melzer, 22, of Louisville, Kentucky, for allegedly planning an attack on his U.S. Army unit by sending sensitive details about the unit – including information about its location, movements, and security – to members of an extremist organization named Order of the Nine Angles (O9A), an occult-based neo-Nazi and white supremacist group.   

Melzer is charged with conspiring and attempting to murder U.S. nationals, conspiring and attempting to murder military service members, providing and attempting to provide material support to terrorists and conspiring to murder and maim in a foreign country. 

The FBI and the U.S. Army thwarted Melzer’s plot in late-May 2020, and the FBI arrested Melzer on June 10, 2020.  The case is assigned to U.S. District Judge Gregory Woods.

“As the indictment lays out, Ethan Melzer plotted a deadly ambush on his fellow soldiers in the service of a diabolical cocktail of ideologies laced with hate and violence,” said Assistant Attorney General for National Security John C. Demers.  “Our women and men in uniform risk their lives for our country, but they should never face such peril at the hands of one of their own.  The National Security Division is proud to support the efforts of those who disrupted this planned attack and to seek justice for these acts.”

“As alleged, Ethan Melzer, a private in the U.S. Army, was the enemy within.  Melzer allegedly attempted to orchestrate a murderous ambush on his own unit by unlawfully revealing its location, strength, and armaments to a neo-Nazi, anarchist, white supremacist group,” said Acting U.S. Attorney Audrey Strauss for the Southern District of New York.  “Melzer allegedly provided this potentially deadly information intending that it be conveyed to jihadist terrorists.  As alleged, Melzer was motivated by racism and hatred as he attempted to carry out this ultimate act of betrayal.  Thanks to the efforts of the agents and detectives of the JTTF, our partners in the Departments of Defense and State, and the career prosecutors of this office, a hate-fueled terrorist attack against American soldiers has been thwarted.”

“As alleged, Ethan Melzer sought to facilitate a deadly mass attack on his fellow service members by disclosing sensitive information to multiple extremists, including al-Qa’ida.  The FBI’s top priority remains protecting Americans from terrorist attacks, at home and abroad, and this case highlights the outstanding work of the FBI’s Joint Terrorism Task Forces, along with our U.S. military partners, to identify and disrupt threats like this one against our men and women in uniform,” said Assistant Director Jill Sanborn of the FBI’s Counter-terrorism Division.

“Melzer declared himself to be a traitor against the United States, and described his own conduct as tantamount to treason.  We agree.  He turned his back on his county and his unit while aligning himself with members of the neo-Nazi group O9A,” said FBI Assistant Director-in-Charge of the New York Office William F. Sweeney Jr.  “Today, he is in custody and facing a lifetime of service – behind bars – which is appropriate given the severity of the conduct we allege today.” 

“This case is another example of the international responsibilities of the Federal Bureau of Investigation’s New York Joint Terrorism Task Force,” said Dermot Shea, the Commissioner of the New York City Police Department.  “Its FBI agents and New York City police detectives will travel anywhere in the world to bring terrorists to justice, in this case a soldier who is alleged to have forsaken his oath to the United States military and his fellow soldiers.”

According to the criminal complaint and the indictment charging Melzer, which were unsealed today in Manhattan federal court:

Melzer joined the U.S. Army in approximately 2018, and he joined O9A by approximately 2019.  Members and associates of O9A have espoused violent, neo-Nazi, anti-Semitic, and Satanic beliefs, and have expressed admiration for both Nazis, such as Adolf Hitler, and Islamic jihadists, such as Osama Bin Laden, the now-deceased former leader of al Qaeda.  Members and associates of O9A have also participated in acts of violence, including murders.

In approximately October 2019, Melzer deployed abroad with the Army.  Prior to planning the attack, Melzer consumed propaganda from multiple extremist groups, including O9A and the Islamic State of Iraq and al-Sham, which are also known as ISIS.  For example, in connection with the investigation, the FBI seized from an iCloud account maintained by Melzer an ISIS-issued document with a title that included the phrase “HARVEST OF THE SOLDIERS” and described attacks and murders of U.S. personnel in approximately April 2020.

In approximately April 2020, the Army informed Melzer of plans for a further foreign deployment by his unit.  Melzer thereafter sought to facilitate a deadly attack on his fellow service members. 

After he was notified of the assignment, Melzer used an encrypted application to send messages to members and associates of O9A and a related group known as the “RapeWaffen Division,” including communications regarding Melzer’s commitment to O9A and sensitive information related to his unit’s anticipated deployment such as locations, movements, and security, for purposes of facilitating an attack on Melzer’s unit.  Melzer and his co-conspirators planned what they referred to as a “jihadi attack” during the deployment, with the objective of causing a “mass casualty” event victimizing his fellow service members. 

Melzer acknowledged in electronic communications that he could be killed during the attack, and, describing his willingness to die, wrote “who gives a [expletive] [. . .] it would be another war . . . I would’ve died successfully . . . cause [] another 10 year war in the Middle East would definitely leave a mark.”  

On or about May 17, 2020, Melzer exchanged electronic communications regarding passing information about the anticipated deployment to a purported member of al Qaeda.  Between approximately May 24 and May 25, 2020, Melzer sent additional electronic messages with specific information about his unit’s anticipated deployment, including, among other things, the number of soldiers who would be traveling, the location of the facility to which Melzer expected the unit would be deployed, and information about the facility’s surveillance and defensive capabilities.  Melzer promised to leak more information once he arrived at the location of the new deployment in order to try to maximize the likelihood of a successful attack on his unit. 

During a voluntary interview with military investigators and the FBI, Melzer admitted his role in plotting the attack.  Melzer said that he intended the planned attack to result in the deaths of as many of his fellow service members as possible.  Melzer also declared himself to be a traitor against the United States, and described his conduct as tantamount to treason.    

Melzer is charged in the Indictment with (1) conspiring to murder U.S. nationals, in violation of 18 U.S.C. § 2332(b)(2), which carries a maximum sentence of life in prison; (2) attempting to murder U.S. nationals, in violation of 18 U.S.C. § 2332(b)(1), which carries a maximum sentence of 20 years in prison; (3) conspiring to murder U.S. military service members, in violation of 18 U.S.C. § 1117, which carries a maximum sentence of life in prison; (4) attempting to murder U.S. military service members, in violation of 18 U.S.C. § 1114, which carries a maximum sentence of 20 years in prison; (5) attempting to provide and providing material support to terrorists, in violation of 18 U.S.C. § 2339A, which carries a maximum sentence of 15 years in prison; and (6) conspiring to murder and maim in a foreign country, in violation of 18 U.S.C. § 956, which carries a maximum sentence of life in prison.  The statutory penalties are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant would be determined by the judge.

Assistant Attorney General Demers and Acting U.S. Attorney Strauss praised the outstanding efforts of the FBI’s New York Joint Terrorism Task Force, which consists of investigators and analysts from the FBI, the NYPD, and over 50 other federal, state, and local agencies; the FBI’s Legal Attaché Office in Rome, Italy; the Air Force Office of Special Investigations; U.S. Army Counterintelligence; U.S. Army Criminal Investigation Command; Attorneys from the U.S. Army Africa Office of the Staff Judge Advocate and 173rd Airborne Brigade; and the U.S. Department of State Diplomatic Security Service.

This prosecution is being handled by the office’s Terrorism and International Narcotics Unit.  Assistant U.S. Attorneys Sam Adelsberg, Matthew Hellman, and Sidhardha Kamaraju are in charge of the prosecution, with assistance from Trial Attorney Alicia Cook of the Counter-terrorism Section.

The charges in the complaint and indictment are merely accusations, and the defendant is presumed innocent unless and until proven guilty.

Blogs to Follow:

Justice.gov (June 2020) U.S. Army Soldier Charged with Terrorism Offenses for Planning Deadly Ambush on Service Members in His Unit

Defense Department Linguist Charged with Espionage


Mariam Taha Thompson, 61, formerly of Rochester, Minnesota, was charged on Wednesday in the District of Columbia with transmitting highly sensitive classified national defense information to a foreign national with apparent connections to Hizballah, a foreign terrorist organization that has been so designated by the Secretary of State.

According to the affidavit filed in support of a criminal complaint, the information Thompson gathered and transmitted included classified national defense information regarding active human assets, including their true names.  By compromising the identities of these human assets, Thompson placed the lives of the human assets and U.S. military personnel in grave danger.

The announcement was made by John C. Demers, the Assistant Attorney General for National Security; Timothy J. Shea, the United States Attorney for the District of Columbia; Robert Wells, Acting Assistant Director of the FBI’s Counterintelligence Division; and Timothy R. Slater, the Assistant Director in Charge of the Washington Field Office.

“While in a war zone, the defendant allegedly gave sensitive national defense information, including the names of individuals helping the United States, to a Lebanese national located overseas,” said Assistant Attorney General for National Security John C. Demers. “If true, this conduct is a disgrace, especially for someone serving as a contractor with the United States military. This betrayal of country and colleagues will be punished.”

“The conduct alleged in this complaint is a grave threat to national security, placed lives at risk, and represents a betrayal of our armed forces.  The charges we’ve filed today should serve as a warning to anyone who would consider disclosing classified national defense information to a terrorist organization,” said U.S. Attorney Timothy J. Shea for the District of Columbia.

“This case shows the value of cooperation across the U.S. Government. Working closely with the Department of Defense, the FBI was able to investigate this willful disregard for keeping national defense information safe and partnered to bring the defendant to the United States to face justice,” said Acting Assistant Director of the FBI’s Counterintelligence Division Robert Wells.

“Today’s announcement is a testament to the U.S. government’s commitment to protecting the U.S. from the unauthorized disclosure of classified information that can put our country at serious risk of damage – damage to people and damage to our country’s capabilities,”  said Timothy R. Slater, Assistant Director in Charge of the FBI’s Washington Field Office.  “Human assets are the core of the U.S. government’s intelligence, and they have our assurance that we will go above and beyond to protect them.  I want to thank the men and women at the FBI and our partners here and abroad who answered the call to assist on this fast-moving investigation.  The FBI is charged with protecting our nation’s security and information for a safe and secure tomorrow for all Americans – we take this duty seriously and will not stand by while supposedly trusted individuals violate that trust in such an egregious way.”

Help a veteran in need by donating here.

Thompson was arrested by FBI Special Agents on February 27, 2020, at an overseas U.S. military facility, where she worked as a contract linguist and held a Top Secret government security clearance.   

The investigation leading to this arrest revealed that starting on or about December 30, 2019, a day after U.S. airstrikes against Iranian-backed forces in Iraq, and the same day protesters stormed the U.S. embassy in Iraq to protest those strikes, audit logs show a notable shift in Thompson’s network activity on United States Department of Defense classified systems, including repeated access to classified information she had no need to access. 

Specifically, during a six-week period between December 30, 2019, and February 10, 2020, Thompson accessed dozens of files concerning human intelligence sources, including true names, personal identification data, background information, and photographs of the human assets, as well as operational cables detailing information the assets provided to the United States government.

A court-authorized search of Thompson’s living quarters on February 19, 2020, led to the discovery of a handwritten note in Arabic concealed under Thompson’s mattress.  The note contained classified information from Department of Defense computer systems, identifying human assets by name, and warning a Department of Defense target who is affiliated with a designated foreign terrorist organization with ties to Hizballah.  The note also instructed that the human assets’ phones should be monitored.

Thompson transmitted the classified information in the handwritten note to a co-conspirator, in whom she had a romantic interest. The FBI’s investigation revealed that Thompson knew the co-conspirator was a foreign national whose relative worked for the Lebanese government. The investigation also revealed that the co-conspirator has apparent connections to Hizballah.

Further investigation revealed that, in a separate communication, Thompson also provided information to her co-conspirator identifying another human asset and the information the asset had provided to the United States, as well as providing information regarding the techniques the human assets were using to gather information on behalf of the United States.

In today’s Criminal Complaint, Thompson was charged with Delivering Defense Information to Aid a Foreign Government in violation of 18 U.S.C. § 794(a) and conspiring to do so in violation of 18 U.S.C. § 794(c).

Thompson made her initial appearance before United States Magistrate Judge Robin M. Meriweather on Wednesday afternoon. A Criminal Complaint is a formal accusation of criminal conduct for purposes of establishing probable cause, not evidence of guilt. The defendant is presumed innocent unless proven guilty.

If convicted, Thompson faces a maximum sentence of life in prison for violating § 794. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes only. If convicted of any offense, the sentencing of a defendant will be determined by the court based on the advisory Sentencing Guidelines and other statutory factors.

Trial Attorneys Jennifer Kennedy Gellie of the National Security Division’s Counterintelligence and Export Control Section, Jennifer Levy of the Counterterrorism Section, and Assistant United States Attorney for the District of Columbia John Cummings are prosecuting the case.

Justice.gov (March, 2020) Defense Department Linguist Charged with Espionage

Ex-CIA engineer charged in massive leak was described by Prosecutors as ‘angry and vindictive’


Federal prosecutors stated on Monday that a software engineer on trial for the largest leak of classified information in CIA history was “prepared to do anything” to betray the agency, Fox News reported.

Joshua Schulte is a former CIA coder accused of sending the anti-secrecy group WikiLeaks a large portion of the agency’s computer hacking arsenal — tools the agency had used to conduct espionage operations overseas.

“The defendant was prepared to burn down the United States government,” Assistant U.S. Attorney Matthew Laroche said. “He is an angry and vindictive man.”

More at Fox News here.

In 2018, the U.S. Attorney’s Office Southern District of New York charged Joshua Adam Schulte with the unauthorized disclosure of classified information and other offenses relating to the theft of classified material from the Central Intelligence Agency (CIA).

Schulte was charged in a 13-count Superseding Indictment (the “Indictment”) in connection with his alleged theft of classified national defense information from the Central Intelligence Agency (“CIA”) and the transmission of that material to an organization that purports to publicly disseminate classified, sensitive, and confidential information (“Organization-1”).  The Indictment also charges SCHULTE with the receipt, possession, and transportation of child pornography, as well as criminal copyright infringement.  SCHULTE, who is presently detained on the child pornography charges, will be arraigned by U.S. District Judge Paul A. Crotty.

Manhattan U.S. Attorney Geoffrey S. Berman said: “Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization.  During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence.  We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities.  Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

Soffe Men’s 3 Pack-USA Poly Cotton Military Tee

Assistant Attorney General John C. Demers said:  “The National Security Division, alongside our partners in the Intelligence Community, will not waver in our commitment to pursue and hold accountable these officials, and I commend all those at the Department of Justice and the FBI who have worked diligently to investigate this matter and bring these charges.”

Assistant Director-in-Charge William F. Sweeney, Jr. said:  “As alleged, Schulte utterly betrayed this nation and downright violated his victims. As an employee of the CIA, Schulte took an oath to protect this country, but he blatantly endangered it by the transmission of Classified Information. To further endanger those around him, Schulte allegedly received, possessed, and transmitted thousands of child pornographic photos and videos. In an effort to protect this nation against crimes such as these, the FBI’s Counterintelligence Division in New York will continue to keep our mission at the forefront of our investigations in protecting the American public.”

On March 7, 2017, Organization-1 released on the Internet classified national defense material belonging to the CIA (the “Classified Information”).  In 2016, SCHULTE, who was then employed by the CIA, stole the Classified Information from a computer network at the CIA and later transmitted it to Organization-1.  SCHULTE also intentionally caused damage without authorization to a CIA computer system by granting himself unauthorized access to the system, deleting records of his activities, and denying others access to the system.  SCHULTE subsequently made material false statements to FBI agents concerning his conduct at the CIA.        

SCHULTE was previously arrested on August 24, 2017, on charges relating to his receipt, possession, and transportation of approximately ten thousand images and videos of child pornography.  In March 2017, members of the FBI had searched SCHULTE’s residence in New York, New York, pursuant to a search warrant and recovered, among other things, multiple computers, servers, and other portable electronic storage devices, including Schulte’s personal desktop computer (the “Personal Computer”). 

On the Personal Computer, FBI agents found an encrypted container (the “Encrypted Container”), which held over 10,000 images and videos of child pornography.  The Encrypted Container with the child pornography files was identified by FBI computer scientists beneath three layers of password protection on the Personal Computer.  Each layer, including the Encrypted Container, was unlocked using passwords previously used by SCHULTE on one of his cellphones.  Moreover, FBI agents identified Internet chat logs in which SCHULTE and others discussed their receipt and distribution of child pornography.  FBI agents also identified a series of Google searches conducted by SCHULTE in which he searched the Internet for child pornography.

SCHULTE, 29, of New York, New York, is charged with one count each of (i) illegal gathering of national defense information, (ii) illegal transmission of lawfully possessed national defense information, (iii) illegal transmission of unlawfully possessed national defense information, (iv) unauthorized access to a computer to obtain classified information, (v) theft of Government property, (vi) unauthorized access of a computer to obtain information from a Department or Agency of the United States, (vii) causing transmission of a harmful computer program, information, code, or command, (viii) making material false statements to representatives of the FBI, (ix) obstruction of justice, (x) receipt of child pornography, (xi) possession of child pornography, (xii) transportation of child pornography, and (xiii) copyright infringement. 

A chart containing the charges and maximum penalties is shown here.  The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.

Mr. Berman praised the outstanding investigative efforts of the FBI. 

The prosecution of this case is being handled by the Office’s Terrorism and International Narcotics Unit.  Assistant U.S. Attorneys Sidhardha Kamaraju and Matthew Laroche are in charge of the prosecution, with assistance from Trial Attorney Scott McCulloch of the National Security Division’s Counterintelligence and Export Control Section.

Foxnews.com/Justice.gov (March, 2020) Prosecutors describe ex-CIA engineer charged in massive leak as ‘angry and vindictive’; Joshua Adam Schulte Charged With The Unauthorized Disclosure Of Classified Information

Help a veteran in need by donating here.

Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifax


Indictment Alleges Four Members of China’s People’s Liberation Army Engaged in a Three-Month Long Campaign to Steal Sensitive Personal Information of Nearly 150 Million Americans

A federal grand jury in Atlanta returned an indictment last week charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the computer systems of the credit reporting agency Equifax and stealing Americans’ personal data and Equifax’s valuable trade secrets.

The nine-count indictment alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊) were members of the PLA’s 54th Research Institute, a component of the Chinese military.  They allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims.

“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William P. Barr, who made the announcement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal.  

They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network.  

The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system.  Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.

The indictment also charges the defendants with stealing trade secret information, namely Equifax’s data compilations and database designs.  “In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” said Barr.

The defendants took steps to evade detection throughout the intrusion, as alleged in the indictment.  They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.

“Today’s announcement of these indictments further highlights our commitment to imposing consequences on cybercriminals no matter who they are, where they are, or what country’s uniform they wear,” said FBI Deputy Director David Bowdich.  “The size and scope of this investigation — affecting nearly half of the U.S. population, demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office.  This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning.”

The defendants are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud.  The defendants are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud. 

The investigation was conducted jointly by the U.S. Attorney’s Office for the Northern District of Georgia, the Criminal and National Security Divisions of the Department of Justice, and the FBI’s Atlanta Field Office.  The FBI’s Cyber Division also provided support.  Equifax cooperated fully and provided valuable assistance in the investigation.

Assistant U.S. Attorneys Nathan Kitchens, Samir Kaushal, and Thomas Krepp of the Northern District of Georgia; Senior Counsel Benjamin Fitzpatrick of the Criminal Division’s Computer Crime and Intellectual Property Section; and Trial Attorney Scott McCulloch of the National Security Division’s Counterintelligence and Export Control Section are prosecuting this case.  Attorneys with the Office of International Affairs provided critical assistance in obtaining evidence from overseas.  

The details contained in the charging document are allegations.  The defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Justice.gov (February, 2020) Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifax