WannaCry about Equifax? What about the Culprits?


Equifax recently (10 May) released first quarter financial results. In addition to the normal information about revenue and EPS, was this tidbit:

Since the announcement of the cybersecurity incident in September 2017, we have incurred a total of $1,352.0 million of costs related to the incident…

In addition to this $1.3+ billion financial beating, Equifax remains a favorite whipping post of government officials, journalists, and readers — the Senate Permanent Subcommittee on Investigations from the Committee on Homeland Security and Governmental Affairs is the most recent

Since the 7 Sep 17 breach announcement, there have been at least five government reports (1, 2, 3, 4, 5), thousands of media outlet articles, and millions of internet comments almost exclusively focused on criticizing Equifax cybersecurity policies and procedures. Equifax has been taken to the woodshed in “print” so frequently that they probably own it now.

What about the perpetrators?

Despite all that’s been written, there seems to be little interest in talking about the perpetrators of this crime or what should be done about them. In February, CNBC wondered where all the data on the 145.5+ million U.S. consumers went. It hasn’t appeared for sale anywhere and they speculated that the data may have been stolen by a nation-state for the purposes of spying or spy recruitment. The only indications in the government reports of the perpetrators of the Equifax data theft are references to IP addresses. On 29 Jul 17, after the Equifax Countermeasures team updated security certificates to allow the resumption of inspection of encrypted traffic they immediately identified suspicious traffic between an IP address in China and their server that carried image files related to consumer credit investigations. The next day, Equifax identified more suspicious traffic from an IP address in Germany that was leased to a Chinese provider. Shortly after, the compromised web portal was taken offline.

It seems unduly disproportionate that so much time and energy has been spent repeatedly kicking Equifax while they’re down without also discussing the serious threat and implications of a nation-state stealing the PII of half of all U.S. consumers.

Kansas City Shuffle ?

A glaring omission in everything that’s been written regarding Equifax is the lack of mention that the WannaCry attack happened the day before the start of the Equifax breach. Several organizations, including governments, have stated their belief that North Korea was behind WannaCry and linguistic analysis of the ransomware notes used with WannaCry indicated a high likelihood that they were written by native Chinese speakers. Did China, with (or without — i.e. false flag) North Korean help, pull a Kansas City Shuffle?

Opprobrium for Equifax is likely warranted, but an avalanche of criticism for the perpetrated unbalanced by concern and condemnation for the perpetrators seems unwise. The health and security of our nation's businesses, especially those with >$1B in annual revenue are vital to our nation's economy. Given the attractive targets they pose to both criminal hackers and adversarial nation-states alike, the discussion merits more balance. 

Time to shift the Equifax conversation.

CYR3CON provides cyber threat intelligence through advanced machine learning algorithms fueled with multi-sourced globally collected hacker community data. CYR3CON’s flagship product, CYR3CON Priority, ranks all vulnerabilities based on threat. Hacker discussions are analyzed with predictive machine learning algorithms that consider conversation content, hacker social structure, reputation, language, etc. in order to help organizations best mitigate risk by prioritizing patching against real-world threats.