Editor's Note: This transcript was automatically transcribed, so mistakes are inevitable. You can contribute by proofreading the transcript or highlighting the mistakes. Sign up to be amongst the first contributors.
The attempted assassination of two New York City police officers, as many of you know, had recently been up there to visit with the NYPD. And that is a force that does exceptional work for the people of New York. And I want them to know that they have the full support of this administration and this Department of Justice. I'm here to announce the indictment of Chinese military hackers, specifically for members of the Chinese People's Liberation Army, for breaking into the computer systems of the credit reporting agency Equifax and for stealing the sensitive personal information of nearly half of all American citizens.
And also, Equifax has hard earned intellectual property. This was one of the largest data breaches in history. It came to light in toothat in the summer of 2017 when Equifax announced the theft. The scale of the theft was staggering. As alleged in the indictment, the hackers obtained the names, birthdates and Social Security numbers of nearly 150 million Americans and the drivers licenses of approximately 10 of at least 10 million Americans. This that theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans and impose substantial costs and burdens on them as they had to take measures to protect themselves from identity theft.
As described in the indictment, the hackers broke into Equifax is network through a vulnerability in the company's dispute resolution system once in the network. The hackers spent weeks conducting reconnaissance, uploading malicious software and steal and stealing log in credentials, all to set up the stage to steal vast amounts of data from Equifax as systems. While doing this, the hackers also stole Equifax as trade secrets embodied by the compiled data and complex database designs used to store personal information. Those trade secrets were the product of decades of investment and hard work by the company.
Today's announcement comes after two years of investigation. According to the nine count indictment handed down by the grand jury in Atlanta, four members of the Chinese People Liberation Army are alleged to have conspired to hack Equifax as computer systems and commit economic espionage. This kind of attack. On American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data. For years, we have witnessed China's voracious appetite for the personal data of Americans, including the theft of personnel records from the Office of Personnel Management, the intrusion into Marriott Hotels and Anthem health insurance companies, and now the wholesale theft of credit and other information from Equifax.
This data has economic value, and these thefts can feed China's development of artificial intelligence tools, as well as the creation of intelligence targeting packages. In addition to the thefts of sensitive personal data, our cases reveal a pattern of state sponsored computer intrusions and thefts by China, targeting trade secrets and confidential business information hacked by the group known as AP T10, which worked in association with the Chinese Ministry of State Security, or MSDS, to target managed service providers and their clients worldwide.
Across industries hacks by MSDS intelligence officers who sought to steal intellectual property relating to turbo fan engines by using both insiders and computer operations and hacks by PMA officers who targeted victims in the nuclear power, metals and solar products industries for the economic benefit of Chinese companies. Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret theft cases in recent years involve some connection with China.
We normally don't bring criminal charges against members of another country's military or intelligence services outside the United States. In general, traditional military and intelligence activity is a separate sphere of conduct that ought not be subject of the domestic criminal law. There are exceptions, however. For instance, we have brought charges against intelligence officers operating undercover in the United States, and more recently, we have charged state sponsor actors for computer intrusions in the United States for the purpose of intellectual property theft, for the use of their private sector, including bank robbery and interference with our democratic elections.
Like those cases, the deliberate, indiscriminate theft of vast amounts of sensitive personal data of civilians as occurred here, cannot be countenanced. The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decision makers have access to timely, accurate and insightful information. But we but we collect information only for legitimate national security purposes. We don't indiscriminately violate the privacy of ordinary citizens. Today's indictment would not have been possible without the hard work of a dedicated team of FBI agents and federal prosecutors in Atlanta and here in Washington, D.C.
. In addition, the department's Office of International Affairs provided valuable assistance in working with other countries to secure evidence. And Equifax Equifax is cooperation throughout the investigation was critical to our development of this case. I'll take a question before turning the floor over to two others appear federal law.
Senator Graham says Rudy Giuliani will be providing the department information on really related to Ukraine and with Biden. What is the process for receiving this information? Who will evaluate it?
Is this something that you build in the future so well?
As I've previously said, the DOJ has the obligation to have an open door to anybody who wishes to provide us information that they think is relevant.
But as I did say to Senator Graham in, we have to be very careful in with it with respect to any information coming from the Ukraine.
There are a lot of agendas in the Ukraine there, a lot of cross currents, and we can't take anything we received from the Ukraine at face value. And for that reason, we had established an intake process in the field so that any information coming in about Ukraine could be carefully scrutinized by the department and its intelligence community, community partners, so that we could assess its provenance and its credibility. And, you know, that is true for all information that comes to the department relating to the Ukraine, including anything Mr.
Giuliani might provide.
Thank you. Now, let me introduce E.J. Art, the U.S. attorney, Atlanta, who will take it from here.
V.J.. Thank you, Attorney General Barr. I would like to commend the federal agents of the FBI and also the prosecutors in the Department of Justice for their great work in this matter. And I want to emphasize the valuable cooperation that Equifax had provided. They're the one that reported the intrusion to the law enforcement and we took it from there. And they've been very, very helpful from throughout. I'd be happy to take any questions you may have. You categorize the scale of this theft in terms of prosecutions that just brought related to China.
Is this the largest theft? DOJ is alleging that Chinese military hackers have committed.
Well, I'll refer back to the attorney general's statement that it is one of the largest in terms of number of civilians information that's been hacked in the overall picture. I'll defer to Assistant Attorney General DeMars who have a bigger, better picture about that.
I guess it depends how you count. But in terms of the number of people's information, who has stolen, it may very well be the biggest that we have. Certainly, as you said, one of the biggest. Obviously, there's a lot of different ways to to count that that data.
Yeah. So then we get two questions that after that.
Yeah, no problem. Thank you. At the FBI, we've been saying for years that China will do anything it can to replace the United States as the world's leading superpower. China's targeting our technology and our trade secrets. And it has been for some time. We know that. But as the attorney general noted previously, this indictment is about more than targeting just an American business. It's about the brazen theft of sensitive personal information of nearly 150 million Americans.
This is the largest theft of sensitive P.I. State sponsored by state sponsored hackers ever recorded. This indictment is also a reminder that with their attacks on our economy, our cyber infrastructure and our citizens, China is one of the most significant threats to our national security. Today, I'm proud of our field office in Atlanta. And you see there special agent in charge up here, Chris Hacker, as well as the U.S. attorney, B.J. Pach from Atlanta. I'm proud of both our office and the U.S.
attorney's offices in Atlanta. These cases are tedious. They are technical and they are difficult and they take time. And the combination of those U.S. attorneys, as well as the FBI agents that participated is a is a valiant effort to get through a case of this impact. S.A.C. Chris Hacker up here would be the first remind you that cases like this depend on the strength of our many partnerships. As I mention, Atlanta was supported certainly by our folks here in our cyber division and FBI headquarters by the U.S.
Attorney's Office in the northern district of Georgia. As previously mentioned by the Department of Justice here and by many other law enforcement and intelligence community partners here at home and in nearly 20 countries throughout the world, we're thankful for this invaluable assistance they provided along the way. We also want to thank Equifax for their close collaboration with us throughout this process. I cannot overstate the importance of the victim company working closely with us after an intrusion like this. This investigation started with minimal evidence no more than 40 IP addresses for servers located throughout the world and a handful of malicious computer programs.
The hackers tried to hide the origin and the location of the Internet traffic by using servers around the world to infiltrate. Equifax is network, but their attempts to cover their tracks failed. We reviewed a ton of forensic data, including network logs and forensic computer images, images and we analyzed malware and we obtained legal process to establish a digital footprint linking the hackers to the intrusion. That's how we were able to trace this unprecedented hack back to the individuals who were named in today's indictment.
This is a testament to the hard work and determination of everyone involved in this investigation. And we've seen so many breaches since 2017. You've seen many of them. And we've almost become as a country immune to these breaches. You get the notice in the mail or you hear about it in the news. You think, well, there goes my credit card number, my Social Security number, my bank account information, and you sign up for another year of free credit card monitoring information.
We cannot think like that in this country.
American businesses cannot be complacent about protecting their data and their intellectual property from our adversaries. And as American citizens, we cannot be complacent about protecting our sensitive personal data. We in law enforcement will not let hackers off the hook just because they're halfway around the world. We've got to do everything we can to keep people safe. Secure and confident online. That's why we're here today. Years after this investigation began in 2017, calling out the Chinese government for its illegal activity.
This is only the second time in our history that we've indicted Chinese military hackers. Some might wonder what good it does when these hackers are seemingly beyond our reach. We answer this question all the time. We tried it. We can't take them into custody. Try them in a court of law and lock them up. Not today, anyway. But one day these criminals will slip up. And when they do, we'll be there. And we'll keep putting pressure on these Baggot bad actors, making sure they understand the risks and the consequences of their actions.
We'll use our unique authorities, our experiences and our capabilities with the help of our partners, both at home and abroad to fight this threat. Each and every day. And we continue to do so. I want to make one very important point. Our concern is not with the Chinese people or with the Chinese American. It is with the Chinese government and the Chinese Communist Party. Confronting this threat effectively does not mean we should not do business with China.
Host Chinese business or Chinese students, welcome Chinese visitors or coexist with China as a country on the on the world stage. What it does mean is that when China violates our criminal laws and international norms, we will not tolerate it and we will hold them accountable for it.
We will protect our nation's innovation and its ideas and we will protect our citizens personal information. Thank you. Yes.
Question Beyond the serious implications in terms of the privacy concerns of Americans. Can you speak a little bit more about the security implications of targeting the data you mentioned? It's like intel intelligence targeting by the Chinese, perhaps government officials and other sensitive alerts.
Sure. I'm not going to get too deep into that. But I will say, look, if you can get P.I. Of people, personally identifiable information, you can do a lot with that.
That can be monetized. It can be used in many, many ways. It can be used for targeting packages for U.S. government officials. That is certainly a possibility. We have not yet seen that in this case to our knowledge. That doesn't mean it will or will not happen in the future. And certainly I think one thing that China recognizes very well is a healthy economy is tantamount to a healthy national security.
You said that, you know, some Americans are immune to this process. Our credit cards are stolen. They get a notice in the mail. What about the people that are panicking that will panic when they hear this information, which the average American do, that's thinking, oh, my goodness, these guys could be up to more. They could be in China somewhere. God knows where they are right now. What's your message to them?
My message to them is, is certainly they should know already because this was announced publicly, not the attribution, but the actual intrusion was announced publicly previously that said they should be in contact with their credit monitoring services. There are a number of things they can do. First of all, prevention of further attacks, i.e. spear fishing, spear phishing attacks do not open links, do not open emails from untrusted servers to factor authentication as far as making sure that their data and their information is is a hard target and checking their credit scores on a fairly regular basis is a helpful step as well.
I think they should go about their daily lives. They should not panic, but they should make sure that their data and their information is secure. Yes.
Is there evidence that this information is already being used?
There is not at this time.
The question is, how is this different from the type of collection that the United States. All over the world, the type of collection that we do here in this country and against, you know, follow you to the question we ask the attorney general before he fled was to tell us what the FBI is doing with this Giuliani information. How is it different from the way the FBI handled the Steele dossier? The information came back and we take that in two parts.
And the second part, I want to be fair to the attorney general. I don't I don't like the word fled for any attorney general.
First off, as far as what is the magnitude of this attack is so important.
You have roughly 320 million Americans. One hundred and forty five million Americans lost sensitive p.I. That does not sound like. Targeted intelligence activity to me, that sounds like very broad collection. Secondly, I will stand on the attorney general's previous answer based on the information. Look, we're taking information as we would in any case. We will evaluate it appropriately.
Yes. You mentioned that American companies have to be vigilant. But in the case of Equifax, they there was an alert that went out in March of 17th. It said you have a flaw in your software and they did not update their software. And that flaw was used to take this data. So if if Equifax had done an update that they were advised to do, would any of the state have been stolen?
I don't know the answer, and I'll leave that to the civil remedies that have been applied already.
Last question. Just a follow up on Evan's question there.
Is the FBI investigating Joe Biden at this point?
I'm not going to touch it. I'm not going to talk about any investigation as I never would. We do not talk about open investigations.