Hackers linked to the Chinese government are being blamed for the theft of data from consumer credit reporting agency Equifax Inc. but strangely not for the initial hack, according to a newly published report.

Bloomberg, quoting insider sources, claimed the initial hack took place in March by a group of hackers who were taking advantage of a published vulnerability in Apache Struts 2. Having gained access, the initial hackers, described as an “entry group” are then alleged to have handed off access to Equifax server to “a more sophisticated team of hackers,” which the report claimed is a sure sign of being a state-sponsored hack.

On the second group, the report claimed that “many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the U.S. Office of Personnel Management,” both of which were subsequently linked to hackers working for the Chinese government.

Although no evidence has been provided to back the claims, the report also noted that Equifax still shares most of the blame in allowing the hack to occur in the first place. Specifically, the company was in the middle of a dispute with its security firm Mandiant Inc. which was hired March 1 to investigate potential data breaches at the company.

“The relationship with Mandiant broke down sometime over the next several weeks—a period that would later turn out to be critical in how the breach unfolded,” the report claimed. “Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems,” while “Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company.”

Whatever occurred, what is absolutely clear is that the Apache Struts2 vulnerability was publicly disclosed in March but was not patched by Equifax until May. That gap between applying the patch allowed hackers to install web-shells on Equifax servers that delivered access independently of the Apache Struts vulnerability, explaining why the patch in May did nothing to stem the flow of data until the overall hack was discovered July 29.

Photo: Pixabay