threatintel
actor tracker
Named attack · kill-chain walkthrough

Equifax Breach

PLA's bulk-PII heist via unpatched Apache Struts

PLA Unit 54466 (54th Research Institute, PRC)May 13 – July 30, 2017 (discovered July 29, disclosed September 7, 2017)High confidence

Attributed to four members of the Chinese People's Liberation Army 54th Research Institute (Unit 54466) by U.S. federal grand jury indictment on February 10, 2020. The named defendants — Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei — were charged with computer fraud, economic espionage, and wire fraud. No extradition has taken place; all four remain at large in China.

Members of China's PLA 54th Research Institute exploited a publicly disclosed but unpatched Apache Struts vulnerability (CVE-2017-5638) in Equifax's consumer dispute portal to gain an initial foothold. Over 76 days they pivoted through an unsegmented database tier, ran approximately 9,000 queries across 51 databases, and exfiltrated the personally identifiable information of roughly 148 million Americans — the largest theft of consumer financial data in U.S. history. A misconfigured SSL inspection certificate that had been expired for 19 months left Equifax's egress IDS effectively blind throughout the entire operation.

scene 00 / 08
PLA Unit 5446654th Research InstitutePRC / BeijingscanCVE-2017-5638Apache Struts S2-045OGNL injection · CVSS 10.0disclosed 2017-03-06T1595.002Equifaxpatch advisory ignoredinternal scan missed ACIS+68 days unpatchedACIS dispute portal (Apache Struts)Content-Type: %{(#cmd='id')...}unauthenticated RCE via OGNL evalT1190 · 2017-05-13 first exploitPoC publicwithin 24 hrsof advisoryweb shells deployedcommand access over HTTPSDB credentials in plaintext config filesT1505.003 · T1552.001db.propertiespassword=plaintextEquifax internal DB tier — 51 databases (unsegmented)~9,000 queries · T1046 · T1213web tier → direct DB access (no network segmentation)148M US consumer PII recordsSSN · DoB · address · driver's license number209,000 credit card numbers · 182,000 dispute docsstaged as compressed archives · T1005 · T1119 · T1560.001egress IDS / TLS inspectorSSL cert EXPIREDblind for 19 monthscannot decrypt HTTPS egressexfiltration: ~20-country HTTPS relaySSL cert renewedIDS sees exfil · 2017-07-29public disclosure2017-09-07FTC / CFPB$575M–700M · 2019DOJ indictment · PLA-544664 PLA officers · 2020-02-10
  1. Phase 01 · ReconnaissanceTA0043

    Operators scanned Equifax's public-facing infrastructure after the Apache Struts advisory dropped

    • Apache disclosed CVE-2017-5638 on March 6, 2017, the same day it released the patched version of Struts 2; mass internet scanning for vulnerable endpoints began within days of the advisory.
    • Equifax's Automated Consumer Interview System (ACIS) — a web application for consumers to dispute credit report items — ran an unpatched version of Apache Struts and was reachable from the public internet.
    • Equifax's patch management process failed: an internal scan on March 15, 2017 did not flag the ACIS system despite the advisory being circulated internally; a second scan on May 13 also missed it.
    • The U.S. House Oversight majority staff report found Equifax had 'failed to apply security patches in a timely manner' and had an 'ineffective patching process' for Struts specifically.
    Techniques
    T1595.002 · Active Scanning: Vulnerability ScanningT1592 · Gather Victim Host Information
    Sources
  2. Phase 02 · Initial AccessTA0001

    CVE-2017-5638 OGNL injection gave unauthenticated RCE on the ACIS dispute portal

    • CVE-2017-5638 is a critical (CVSS 10.0) remote code execution flaw in the Apache Struts 2 Jakarta Multipart parser: a maliciously crafted Content-Type header triggers OGNL expression evaluation server-side, granting full shell-level code execution without authentication.
    • Exploitation requires a single HTTP request with no prior authentication, making it trivially automatable; public proof-of-concept exploits were available within 24 hours of the March 6 advisory.
    • Attackers first exploited the flaw against Equifax's ACIS portal on May 13, 2017 — 68 days after the patch had been publicly available.
    • The DOJ indictment charges the four PLA defendants with unauthorized access and computer fraud arising from this initial exploitation.
    Techniques
    T1190 · Exploit Public-Facing ApplicationT1059.007 · Command and Scripting Interpreter: JavaScript
    Sources
  3. Phase 03 · Persistence & ExecutionTA0003

    Web shells dropped on the ACIS server provided durable, authenticated command access

    • After establishing initial RCE via CVE-2017-5638, operators deployed web shells — small server-side scripts that accept commands over HTTP — to maintain access independent of the Struts vulnerability.
    • The DOJ indictment and House Oversight report describe attackers using these footholds to run commands, explore the environment, and stage further intrusion tools over the subsequent weeks.
    • Equifax stored credentials for downstream database systems in plaintext configuration files accessible from the web tier — operators harvested these to pivot into the database layer.
    • The web shells operated over encrypted HTTPS, blending with legitimate TLS traffic and evading content-based detection.
    Techniques
    T1505.003 · Server Software Component: Web ShellT1552.001 · Unsecured Credentials: Credentials in Files
    Sources
  4. Phase 04 · DiscoveryTA0007

    Operators mapped 51 databases and identified the tables holding PII for 148 million consumers

    • From the compromised ACIS web tier, operators discovered that Equifax's internal network was poorly segmented: the web application servers had direct database connectivity to dozens of production databases holding consumer PII.
    • The attackers ran approximately 9,000 queries across 51 distinct databases to enumerate tables, column schemas, and row counts — effectively mapping the full PII landscape before beginning bulk extraction.
    • The House Oversight report found that Equifax's network segmentation was inadequate and that the ACIS application had access far beyond the data required for its function (principle of least privilege violated).
    • The GAO report noted that Equifax had not implemented database activity monitoring that could have detected the anomalous query volume.
    Techniques
    T1046 · Network Service DiscoveryT1082 · System Information DiscoveryT1087 · Account Discovery
    Sources
  5. Phase 05 · CollectionTA0009

    ~9,000 queries pulled names, SSNs, DoB, addresses, driver's licenses, and 209k credit card numbers

    • The PLA operators staged bulk query output into temporary files within the ACIS environment before exfiltration; the DOJ indictment describes the data being stored in temporary repositories.
    • Data collected: full names, Social Security numbers, dates of birth, home addresses, and driver's license numbers for approximately 148 million U.S. consumers; approximately 209,000 consumer credit card numbers (with expiry dates); dispute documents containing additional PII for approximately 182,000 consumers.
    • The breach also affected approximately 15 million UK citizens whose data was held by Equifax's UK subsidiary, and approximately 19,000 Canadians.
    • The DOJ indictment notes that defendant Liu Lei obtained login credentials for a third-party data provider as part of this collection phase.
    Techniques
    T1005 · Data from Local SystemT1213 · Data from Information RepositoriesT1119 · Automated Collection
    Sources
  6. Phase 06 · Defense EvasionTA0005

    An expired SSL inspection certificate had blinded Equifax's egress IDS for 19 months

    • Equifax operated a TLS inspection appliance on its egress traffic monitoring path — but the SSL inspection certificate had expired 19 months before the breach began, rendering the device unable to decrypt and inspect outbound HTTPS sessions.
    • Because the inspection cert was not renewed, all encrypted exfiltration traffic traversed the egress IDS as opaque blobs; the IDS could detect neither the payload content nor the anomalous query-result volumes.
    • The DOJ indictment describes the defendants routing exfiltration through approximately 20 different countries to obscure the traffic's true origin and destination.
    • Operators split large datasets into smaller compressed archives before transmission — a common staging technique to reduce per-session payload size and avoid size-based anomaly thresholds.
    • The expired certificate was discovered on July 29, 2017 when Equifax's security team renewed it; the IDS immediately began flagging suspicious traffic, triggering the investigation.
    Techniques
    T1573.002 · Encrypted Channel: Asymmetric CryptographyT1036 · MasqueradingT1560.001 · Archive Collected Data: Archive via UtilityT1090.003 · Proxy: Multi-hop Proxy
    Sources
  7. Phase 07 · ExfiltrationTA0010

    Staged archives of PII exfiltrated over HTTPS through a 20-country relay — invisible to blind IDS

    • Over the 76-day dwell period (May 13 – July 30, 2017), operators exfiltrated the staged data archives through encrypted HTTPS sessions directed at exit nodes in approximately 20 countries before the traffic terminated at PRC-controlled infrastructure.
    • The House Oversight report notes that 'the data was encrypted and sent to locations outside the United States' and that the exfiltration was not detected until the SSL inspection certificate was renewed.
    • The DOJ indictment charges defendant Wu Zhiyong and Wang Qian with executing the exfiltration channels; Xu Ke and Liu Lei are charged with additional support roles in the intrusion operation.
    • After the SSL cert renewal on July 29, 2017 restored IDS visibility, Equifax detected the suspicious encrypted traffic within hours and shut down the ACIS portal.
    Techniques
    T1048.002 · Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1041 · Exfiltration Over C2 Channel
    Sources
  8. Phase 08 · Impact & AttributionTA0040

    148M Americans' PII stolen; $700M+ settlement; four PLA officers indicted

    • The Equifax breach is the largest theft of consumer financial PII in U.S. history: approximately 148 million Americans had their SSNs, dates of birth, addresses, and driver's license numbers exposed; 209,000 consumers had credit card numbers stolen.
    • Equifax's CIO resigned on September 26, 2017; the CEO resigned October 3, 2017. The SEC announced settled charges against a former Equifax CIO (Jun Ying) for insider trading on June 28, 2018.
    • Equifax agreed to pay up to $700 million (later revised to $575 million guaranteed / up to $700 million with consumer fund) to settle charges brought by the FTC, CFPB, and 50 U.S. states and territories, announced July 22, 2019.
    • On February 10, 2020, the DOJ unsealed a nine-count indictment against four PLA 54th Research Institute (Unit 54466) members: Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可), and Liu Lei (刘磊). Charges include computer fraud, economic espionage, and wire fraud. All four remain at large.
    • The GAO found Equifax had failed on key controls: patch management, network segmentation, SSL certificate lifecycle management, and data minimization (retaining PII beyond its necessary purpose).
    Techniques
    T1657 · Financial TheftT1530 · Data from Cloud Storage
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • PLA Unit 54466 (54th Research Institute, PRC)
Capability
  • T1595.002
  • T1592
  • T1190
  • T1059.007
  • T1505.003
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources