Subscribe

Biz & IT —

Massive Equifax hack reportedly started 4 months before it was detected

Attackers likely spent months escalating their intrusion into Equifax's network.

-

A monitor displaying Equifax Inc. signage on the floor of the New York Stock Exchange in New York on Friday, September 15, 2017.
Enlarge / A monitor displaying Equifax Inc. signage on the floor of the New York Stock Exchange in New York on Friday, September 15, 2017.
Michael Nagle/Bloomberg | Getty Images

Hackers behind the massive Equifax data breach began their attack no later than early March, more than four months before company officials discovered the intrusion, according to a report published Wednesday by the Wall Street Journal.

Further Reading

Why the Equifax breach is very possibly the worst leak of personal info ever
The first evidence of the hackers' "interaction" with the Equifax network occurred on March 10, according to the report, which cited a confidential note that security firm FireEye sent to some Equifax customers. By then, a critical vulnerability in the Apache Struts Web application framework was already under active exploit on the Internet. Equifax officials have said the Struts flaw was the opening that gave attackers an initial hold in the targeted network.

Equifax has said that the breach that exposed sensitive data for as many as 143 million US consumers started on May 13 and lasted until July 30. The company didn't disclose the breach until September 7.

The attackers, according to the WSJ, eventually entered the command "Whoami," giving them the capability to determine the user account they had compromised. It was likely the beginning of months of painstaking hacking as the attackers attempted to escalate their privileges and intrude further into the Equifax network. Sometime between May and late July, the hackers accessed files that contained Equifax credentials and "performed database queries that provided access to documents and sensitive information stored in databases in an Equifax legacy environment," the report said. Eventually, the attackers accessed "numerous database tables in several databases."

The attackers also managed to set up about 30 Web shells that allowed them to remotely enter the same sorts of powerful commands available to high-privilege Equifax administrators. The hidden pages would remain even after the vulnerable Struts applications on the network were patched. As it turned out, Equifax didn't fix the flaw until July 30.

Mandiant, the FireEye unit that Equifax called in to investigate the breach, said it has detected about 35 IP addresses the attackers used to access the company's network. The hackers' identity remains unknown. Mandiant has been unable to attribute the breach to any hacking groups it currently tracks, and the tools, tactics, and procedures used in the hack don't overlap with those seen in previous Mandiant investigations.

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

Related Stories

    Today on Ars