Category Archives: Cyber War

Items SecState Pompeo Manages in Dealing with N Korea

Posted on by
All is not so copacetic with North Korea. The United States has many channels of intelligence regarding North Korea and dealing with Kim Jung Un with many of the moving parts requires diplomatic artistry.
Below are but two examples and the prediction of a second summit between the United States and North Korea being noted, the logistics is a chess game.
Pompeo Meets North Korean Leader Kim Jong Un | One-News
FireEye has released a report stating the tools and techniques used by the group, “We believe APT38’s financial motivation, unique toolset, and tactics, techniques, and procedures (TTPs) observed during their carefully executed operations are distinct enough to be tracked separately from other North Korean cyber activity. There are many overlapping characteristics with other operations, known as “Lazarus” and the actor we call TEMP.Hermit; however, we believe separating this group will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense.
In their official blog, the company further explained the distinction of the group from any other hackers out there. Foremost, the malware tools used overlap or are similar indicating the similar developer behind the scenes.
The general pattern used by APT38 was observed to be this way –
  • First, the information is gathered by targeting third-party vendors to understand the mechanics of their transactions.
  • Then, initial compromise takes place followed by internal reconnaissance, pivot to victim servers used for swift transactions.
  • After this, finally, the funds are transferred or stolen.
  • This group does not stop just there but it removes all the evidence that might help the authorities trace them back or know the exact way or methodology of the fraud.
FireEye addressed the threat the group poses to its targeted sector by stating, “APT38 is unique in that it is not afraid to aggressively destroy evidence or victim networks as part of its operations. This attitude toward destruction is probably a result of the group trying to not only cover its tracks but also to provide cover for money laundering operations.The full 32 page report is here.
Meanwhile:

The U.S. Treasury Department last week sanctioned a Turkish company, two Turkish individuals, and a North Korean individual for violating UN sanctions on Pyongyang. These sanctions came just before Secretary of State Mike Pompeo’s fourth trip to North Korea in preparation for an anticipated second Trump-Kim summit.

Treasury targeted the Turkey-based company SIA Falcon International Group; the company’s chief executive officer, Huseyin Sahin; the company’s general manager, Erhan Culha; and North Korea’s economic and commercial counselor in Mongolia, Ri Song Un. The sanctions were issued pursuant to Executive Order 13551, which restricts trade in arms and luxury goods with North Korea. UN Security Council Resolution 1718 from 2006 also prohibits member states from conducting such trade.

In a press release, Treasury noted that SIA Falcon operates in Latvia. In February 2018, Treasury’s Financial Crimes Enforcement Network (FinCEN) named ABLV Bank of Latvia an institution of primary money laundering concern. FinCEN noted that ABLV “institutionalized money laundering as a pillar of the bank’s business practices” and conducted illicit financial transactions for North Korean procurement or export of ballistic missiles. Treasury did not confirm, however, that SIA Falcon’s Latvian branch office used ABLV’s bank services.

Treasury’s latest sanctions came the same day as The Rodong Sinmun, a North Korean state-run newspaper, published an article lambasting U.S. sanctions policy. Just days earlier, North Korea’s foreign minister, Ri Yong Ho, implored the UN Security Council to lift sanctions in response to Pyongyang’s moves to freeze missile and nuclear testing and to destroy the Punggye-ri test facility. However, until North Korea agrees to denuclearization and a full declaration of Pyongyang’s nuclear weapons program, facilities, and capabilities, Washington has confirmed it will not ease sanctions pressure

After Secretary Pompeo’s latest trip to North Korea, Pyongyang’s media outlets suggested U.S.-North Korea relations are improving. Of course, these latest designations, as well as ongoing U.S. diplomatic efforts to ensure international compliance with UN sanctions, could stir further tensions. Despite these risks, the sanctions send a useful message to Pyongyang that the Trump administration will not back down until the Kim regime meets its core demands. Hat tip FDD.

Google Doc Notes Tech Media Censorship

Posted on by

The Good Censor – GOOGLE LEAK by on Scribd

   The other cyber war…censorship.

Primer:

Google should refuse to develop a censored search engine for China, Vice President Mike Pence said Thursday while criticizing the Communist regime.

“Google should immediately end development of the ‘Dragonfly’ app that will strengthen Communist Party censorship and compromise the privacy of Chinese customers,” Pence said at the Hudson Institute in Washington, D.C.

Pence’s recommendation came amid a broad criticism of China’s domestic repression and international aggression. But his turn towards Google attests to how U.S. leaders also see Beijing’s relationship with American institutions as a source of unwarranted strength for Chinese leaders, even as President Trump takes a more confrontational posture towards the rising Asian power. More here.

 

Summary background on the 85 page document authored by Google and published by Breitbart:

Leaked Google documents suggest the tech giant wants increased censorship of the internet and believes other internet firms should police debate online.

The 85-page paper, leaked by a Google employee, claims that cyber harassment, racism and people venting their frustrations are ‘eroding’ free speech online.

It says that the ability to post anonymously has ’empowered’ online commenters to express their views ‘recklessly’ and ‘with abandon’.

Censoring the internet could make comment sections safer and more civil for everyone, the report concludes.

The report reads: ‘When they’re angry, people vent their frustrations.

‘But whereas people used to tell friends and family about bad experiences, the internet now provides a limitless audience for our gripes.’

Anonymity of users is also earmarked as a potential danger online, claiming that people were more likely to share abhorrent or radical views due to the lack of accountability.

Racism, hate speech, trolling and harassment are also mentioned in the extensive report, which was leaked to Breitbart.

It adds: ‘Although people have long been racist, sexist and hateful in many other ways, they weren’t empowered by the internet to recklessly express their views with abandon.’

Groups which were once minority have been emboldened to discuss their radical views online as the internet provides them with a safe space to communicate, the report suggests.

In response to the leak, Google insisted the document was not company policy, though it admitted the research was something being considered by top bosses.

Internet rights advocates said that censoring online debate risks hampering free speech and creating an environment in which the views of some groups are not tolerated by big technology firms.

Of harassment, Google says: ‘From petty name-calling to more threatening behaviour, harassment is an unwelcome component of life online for all too many users.’

It goes on to suggest that Google should monitor the tone of what is said as opposed to the content, and that the firm should not adopt a political standpoint in arguments.

‘Shifting with the times’, depending on the mood around censorship, is also not ruled out.

***

Google intends to launch a controversial censored version of its Search app for China by July 2019.

‘Dragonfly’ is a rumoured effort inside Google to develop a search engine for China that would censor certain terms and news outlets, among other things.

Outside of high-profile leaks, few details have emerged on what the search engine entails as Google has kept tight-lipped on the project.

A former Google employee warned in August of the web giant’s ‘disturbing’ plans in a letter to the US’s senate’s commerce committee.

Jack Poulson said the proposed Dragonfly website was ‘tailored to the censorship and surveillance demands of the Chinese government’.

In his letter he also claimed that discussion of the plans among Google employees had been ‘increasingly stifled’.

Mr Poulson was a senior research scientist at Google until he resigned last month in protest at the Dragonfly proposals. Read more here from DailyMail.

Trump Admin Trying to Get a Cyber Doctrine

Posted on by

October is national cyber awareness month, frankly every month and every day should be an awareness day.

octo | Office of the Chief Technology Officer

So, back in late 2017, the House passed by a voice vote H.R. 3559 – Cybersecurity and Infrastructure Security Agency Act of 2017. As you may guess, it is stalled in the Senate.

Meanwhile, in an effort to mobilize and consolidate cyber operations for the United States, there is no consensus within Congress. Should every government agency has a cyber division? Should the United States be able to perform counter cyber attacks? What kind of a cyber attack on the United States constitutes an act of war?

Just last month, Politico published a piece stating in part:

Recent reports that Russia has been attempting to install malware in our electrical grid and that its hackers have infiltrated utility-control rooms across America should constitute a significant wakeup call. Our most critical infrastructure systems are vulnerable to malicious foreign cyberactivity and, despite considerable effort, the collective response has been inadequate. As Director of National Intelligence Dan Coats ominously warned, “The warning lights are blinking red.”

A successful attack on our critical infrastructure — power grids, water supplies, communications systems, transportation and financial networks — could be devastating. Each of these is vital to our economy, health and security. One recent study found that a single coordinated attack on the East Coast power grid could leave parts of the region without power for months, cause thousands of deaths due to the failure of health and safety systems, and cost the U.S. economy almost $250 billion. Cyberattacks could also undermine our elections, either by altering our voter registration rolls or by tampering with the voting systems or results themselves.

The op-ed was written by retired General and former CIA Director David Petraeus who is arguing: “Our grab-bag approach isn’t working. Gen. David Petraeus says it’s time to go big.”

Actually, I agree with General Petraeus on his position. Last month also, John Bolton on the White House National Security Council declared that the U.S. is going on the offensive. Yet in an interesting article, Forbes offers a point and counter-point to that argument.

Last week, President Trump spoke to world leaders about how China is interfering in U.S. elections via the cyber realm. While no evidence has been offered, that is not to say there is no evidence, it is a common tactic of China. Additionally, the United States is offering robust assistance to NATO allies.

Acting to counter Russia’s aggressive use of cyberattacks across Europe and around the world, the U.S. is expected to announce that, if asked, it will use its formidable cyberwarfare capabilities on NATO’s behalf, according to a senior U.S. official.

The announcement is expected in the coming days as U.S. Defense Secretary Jim Mattis attends a meeting of NATO defense ministers on Wednesday and Thursday.

Katie Wheelbarger, the principal deputy assistant defense secretary for international security affairs, said the U.S. is committing to use offensive and defensive cyber operations for NATO allies, but America will maintain control over its own personnel and capabilities.

The decision comes on the heels of the NATO summit in July, when members agreed to allow the alliance to use cyber capabilities that are provided voluntarily by allies to protect networks and respond to cyberattacks. It reflects growing concerns by the U.S. and its allies over Moscow’s use of cyber operations to influence elections in America and elsewhere.

“Russia is constantly pushing its cyber and information operations,” said Wheelbarger, adding that this is a way for the U.S. to show its continued commitment to NATO.

Wheelbarger told reporters traveling to NATO with Mattis that the move is a signal to other nations that NATO is prepared to counter cyberattacks waged against the alliance or its members.

Much like America’s nuclear capabilities, the formal declaration of cyber support can help serve as a military deterrent to other nations and adversaries.

The U.S. has, for some time, considered cyber as a warfighting domain, much like air, sea, space and ground operations. In recent weeks the Pentagon released a new cybersecurity strategy that maps out a more aggressive use of military cyber capabilities. And it specifically calls out Russia and China for their use of cyberattacks.

China, it said, has been “persistently” stealing data from the public and private sector to gain an economic advantage. And it said Russia has use cyber information operations to “influence our population and challenge our diplomatic processes.” U.S. officials have repeatedly accused Moscow of interfering in the 2016 elections, including through online social media.

“We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of a crisis or conflict,” the new strategy states, adding that the U.S. is prepared to use cyberwarfare along with other military weapons against its enemies when needed, including to counter malicious cyber activities targeting the country. Read more here.

Not to be left out is North Korea.

The Department of Homeland Security, the Department of the Treasury, and the Federal Bureau of Investigation have identified malware and other indicators of compromise used by the North Korean government in an ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

For more information, see:

Yup, in closing…..we agree with General Petraeus….it is long overdue to go big and go NOW.

Thwarted Plot of Swiss Laboratory Working the Novichok Case

Posted on by

Western intelligence agencies thwarted a plot involving two Russians intending to travel to a Swiss government laboratory that investigates nuclear, biological and chemical weapons, and hack its computer systems. According to two separate reports by Dutch newspaper NRC Handelsblad and Swiss newspaper Tages-Anzeiger, the two were apprehended in The Hague in early 2018. The reports also said that the Russians were found in possession of equipment that could be used to compromise computer networks. They are believed to work for the Main Intelligence Directorate, known as GRU, Russia’s foremost military intelligence agency. The apprehension was the result of cooperation between various European intelligence services, reportedly including the Dutch Military Intelligence and Security Organization (MIVD).

The laboratory, located in the western Swiss city of Spiez, has been commissioned by the Netherlands-based Organization for the Prohibition of Chemical Weapons (OPCW) to carry out investigations related to the poisoning of Russian double agent Sergei Skripal and his daughter Yulia in March of this year. It has also carried out probes on the alleged use of chemical weapons by the Russian-backed government of President Bashar al-Assad in Syria. In the case of the Skripals, the laboratory said it was able to duplicate findings made earlier by a British laboratory.

Switzerland’s Federal Intelligence Service (NDB) reportedly confirmed the arrest and subsequent expulsion of the two Russians. The Swiss agency said it “cooperated actively with Dutch and British partners” and thus “contributed to preventing illegal actions against a sensitive Swiss infrastructure”. The office of the Public Prosecutor in the Swiss capital Bern said that the two Russians had been the subject of a criminal investigation that began as early as March 2017. They were allegedly suspected of hacking the computer network of the regional office of the World Anti-Doping Agency in Lausanne. The Spiez laboratory was a target of hacking attempts earlier this year, according to a laboratory spokesperson. “We defended ourselves against that. No data was lost”, the spokesperson stated.

On April 14, Russian Minister of Foreign Affairs Sergei Lavrov stated that he had obtained the confidential Spiez lab report about the Skripal case “from a confidential source”. That report confirmed earlier findings made by a British laboratory. But the OPCW, of which Russia is a member, states that its protocols do not involve dissemination of scientific reports to OPCW member states. Hence, the question is how Foreign Minister Lavrov got hold of the document.

As intelNews reported in March, in the aftermath of the Skripals’ poisoning the Dutch government expelled two employees of the Russian embassy in The Hague. In a letter [.pdf] sent to the Dutch parliament on March 26 —the day when a large number of countries announced punitive measures against Russia— Holland’s foreign and internal affairs ministers stated that they had decided to expel the two Russian diplomats “in close consultation with allies and partners”. The Russians were ordered to leave the Netherlands within two weeks. It is unknown whether the two expelled Russian diplomats are the same two who were apprehended in The Hague, since none have been publicly named.

A November 2017 parliamentary letter from Dutch minister of internal affairs Kajsa Ollongren, states[4] that Russian intelligence officers are “structurally present” in the Netherlands in various sectors of society to covertly collect intelligence. The letter added that, in addition to traditional human intelligence (HUMINT) methods, Russia deploys digital means to influence decision-making processes and public opinion in Holland.

***

Meanwhile:

The investigation can be viewed here

An ongoing Bellingcat investigation conducted jointly with The Insider Russia has confirmed through uncovered passport data that the two Russian nationals identified by UK authorities as prime suspects in the Novichok poisonings on British soil are linked to Russian security services.

The reporting team determined that the passport data of Petrov is highly unusual and indicates that he is linked to Russian security services.

Alexander Petrov’s passport dossier is marked with a stamp containing the instruction “Do not provide any information”.  This stamp does not exist in standard civilian passport files. A source working in the Russian police force who regularly works with the central database confirmed to Bellingcat and The Insider that they have never such a stamp on any passport form in their career.  That source surmised that this marking reserved for operatives of the state under deep cover.

Hat tip.

Equifax had Evidence of Chinese Espionage Before the Hack

Posted on by

Fascinating that there is always more to the story. Remember, this was/is confidential and personal data. Further, Alibaba is a Chinese international holding company that is a counterpart to Amazon and specializes in artificial intelligence based in Hangzhou, China.

The General Accounting Office issued a report on Equifax. The GAO analysis detailed the steps Atlanta-based Equifax has taken since the breach to prevent similar attacks in the future. Last year, hackers had found a vulnerability in Equifax servers that gave them access to customer login credentials.

The report said the hackers hid in Equifax’s system for more than two months and mined data for credit card numbers, drivers licenses and social security numbers. The breach led the agency to make $200 million in security upgrades.

WSJ: Two years before Equifax Inc. stunned the world with the announcement it had been hacked, the credit-reporting company believed it was the victim of another theft, only this time at the hands of Chinese spies, according to people familiar with the matter.

In the previously undisclosed incident, security officials feared that former employees had removed thousands of pages of proprietary information before leaving and heading to jobs in China. Materials included code for planned new products, human-resources files and manuals.

Equifax went to the Federal Bureau of Investigation and the Central Intelligence Agency. Investigators from the company and the FBI came to view events at Equifax as potentially a huge theft of data—not of consumers’ personal data, as happened with the subsequent 2017 hacking of Equifax’s files, but of confidential business information.

Equifax security officials briefed the then-chief executive, Richard Smith, at a fall 2015 meeting, spreading high stacks of paper across the length of the boardroom table. The voluminous printouts represented what they feared was stolen. Adding to suspicions, the Chinese government had recently asked eight companies to help it build a national credit-reporting system.

At one point, Equifax grew so worried it began building a way to monitor the computer activity of all of its ethnic-Chinese employees, according to people familiar with the investigation. The resource-heavy project, which raised legal concerns internally, was short-lived.

Some investigators believed Equifax’s intense focus on the matter contributed to a delay in the company’s understanding the extent of the 2017 hack of consumers’ information, an event that hammered Equifax’s stock, cost some executives their jobs, including Mr. Smith, and damaged the company’s reputation.

Ultimately, the previously undisclosed investigation undertaken by the FBI stalled. The FBI wanted to pursue a criminal case, believing the theft of trade secrets costs the U.S. hundreds of billions of dollars a year, with China the leading offender, said people familiar with the investigation. Equifax began to worry about legal exposure and how onerous the inquiry could become, according to these people, and eventually reduced its cooperation with law enforcement.

That left many of the questions raised by the investigation, both about Equifax and about China, unresolved.

This account of the events at Equifax is based on people familiar with the investigation.

Equifax, in a written statement, said it became aware in 2015 of “efforts by a former employee to obtain company information, and launched an internal investigation into his activities.” The company “brought the investigation to the attention of U.S. law enforcement authorities and cooperated with the federal agencies,” Equifax said.

“Although this individual had improperly obtained proprietary Equifax information,” the statement said, “the information we determined was accessed was general in nature and not material or harmful to Equifax, consumers or our business clients.” Equifax said the company has “no evidence to suggest that consumer data or other personal information was compromised, or that this individual targeted this type of information.”

Equifax didn’t address in its statement whether it thought other employees were involved. A person familiar with the company’s thinking disputed the notion that Equifax reduced its cooperation with law enforcement in a probe it had itself triggered.

Representatives of the FBI and CIA declined to comment. The Chinese Embassy in Washington didn’t respond to requests for comment.

One of the former employees Equifax and the FBI investigated in connection with a possible business-information theft was Daniel Zou, who worked in Toronto. The company he joined in China was Ant Financial, a fast-growing financial-technology affiliate of Alibaba Group Holding Ltd. , founded by billionaire Jack Ma.

Both Ant and Mr. Zou denied any involvement in taking proprietary Equifax data. Alibaba referred questions to Ant.

Ant, based in Hangzhou, China, said it “has never used Equifax code, scripts or algorithms in the development of its own products and services.”

Mr. Zou, in a sworn statement provided by his lawyer, said, “I deny that I worked with or consulted with a network of Equifax colleagues to steal Equifax code for Ant Financial or that I provided any such code to Ant Financial.”

Interviewed by The Wall Street Journal in Washington, Mr. Zou, a 35-year-old Chinese-born Canadian citizen who graduated from the University of Toronto, repeated his denial and said that learning from the Journal of Equifax’s suspicions had been “a nightmare.”

Those suspicions arose in 2015, a few months after Mr. Zou left his job as an Equifax product manager to join Ant’s new credit-scoring business, which is known as Sesame Credit in English. Ant was among the companies asked by China’s central bank to develop credit-scoring services. Sesame launched its service in January 2015, several months before Mr. Zou came aboard.

Equifax’s data-loss prevention system, which guards against sensitive information leaving the corporate network, flagged the activities of Mr. Zou, according to people familiar with the investigation. The system alerted that an employee might have taken data off the network, and initially registered it as benign, they said.

Mr. Zou said in his interview with the Journal that, according to his understanding of how the system works, it would warn the person removing the data on the spot. He said he never received such a warning. Equifax declined to say whether that is how the system works or whether Mr. Zou received a warning.

At the same time, Equifax officials also had suspicions about a different employee, in another city. Equifax’s security chief, Susan Mauldin, approached the FBI with a question: What would it look like if we were being targeted by China?

FBI officials told her that in one common technique, a group makes plans to visit a company’s office to pitch a partnership, then at the last minute replaces delegation members with spies.

Around this time, a delegation from a Chinese business visited Equifax and swapped out some members at the last minute, fueling Equifax’s suspicions it was a target.

Company security officials decided to examine Mr. Zou’s computer activity. They discovered he had printed out thousands of pages of company information. The material related to the way credit scores are obtained, what different pieces of data mean and how to apply algorithms to assess troves of data, according to the people familiar with the investigation. They said some was information that could help explain products Equifax was working on.

At around the same time they were examining Mr. Zou’s systems, investigators discovered what they believed to be a major infiltration campaign. They found that other employees had sent code to their personal email accounts and uploaded it to software-development platforms others could access.

According to the people familiar with the probe, the investigators, by talking to Equifax employees and examining email accounts and LinkedIn messages sent to them, saw indications that recruiters purporting to represent Ant affiliate Alibaba had offered to triple salaries for certain ethnically Chinese Equifax employees—and provided instructions on specific Equifax information they should bring along if they jumped ship.

The investigators saw, as well, that Mr. Zou had searched the Equifax human-resources system to look up data analytics teams in the U.S. He had printed out contact information for many ethnic-Chinese employees, according to people familiar with the probe. They said some of those employees told colleagues they were later contacted by recruiters who claimed to be working on behalf of Alibaba.

The investigators found notes on Chinese messaging service WeChat in which another group of Equifax employees in North America, using their company-issued phones, arranged off-hours meetings to discuss work projects and left the company soon after, saying they were going to Ant or Sesame for big raises.

Ant said Mr. Zou is the only former Equifax employee it has hired since it began collecting employment history information in 2011. Ant said Mr. Zou began at its credit-scoring business in May 2015. It listed a five-figure starting salary for Mr. Zou and said he wasn’t promised any large bonuses.

Ant said it didn’t “directly or indirectly through third-party recruiters” encourage job applicants to steal Equifax information. Ant prohibits employees and recruiters from requesting such activity, the company said, adding that third-party recruiters aren’t authorized to make job offers on its behalf.

Ant said it hadn’t been contacted by Equifax or any government investigators about such matters. After receiving an inquiry from the Journal about Mr. Zou, Ant said, it investigated his information-technology activities and found no evidence he had ever provided Ant with any Equifax code, scripts or algorithms.

Mr. Zou said he worked in marketing and didn’t have access to Equifax code, algorithms and other proprietary information; never took any to Ant; wasn’t asked to; and never encouraged others to.

“I deny that I searched an internal Equifax human resources database to recruit Equifax employees to join Ant Financial,” Mr. Zou said in the sworn declaration provided by a lawyer. “I further deny that I printed contact information for ethnic-Chinese Equifax employees as part of an effort to recruit such employees to join Ant Financial.”

In the Journal interview, Mr. Zou said, “I think [where] this might come from is that during my time at Equifax I had a habit of sending work-related documents to my own email so that I could work at home. If any of those contain [any] of what they call the alleged proprietary information, right after I left Equifax and before I went back to China, I deleted them all. And I did not share that with anybody.”

If investigators were alarmed by his email practices, Mr. Zou said, “I think that’s a huge misunderstanding.”

Mr. Zou also said he printed out employee contact information for projects that required him to work with global colleagues. “Equifax Canada did not want to reinvent the wheel from beginning,” he said, “so my job was to piggyback the success case” from the company’s U.S., U.K. and Latin American regions.

He said he disposed of all the documents before moving to China and joining Ant, and he denied targeting any ethnicity. “If you search a data analytics team, the likelihood is high that you will reach a Chinese employee,” he said.

Mr. Zou said he had never been contacted by Equifax or any government authorities about data theft, and learning he was suspected caused him “emotional turmoil.”

Although Equifax had gone to the FBI—and although the bureau was eager to pursue the matter—Equifax officials by the middle of 2016 had grown wary of providing more information to federal investigators.

Equifax worried that doing so could trigger requirements under securities law for disclosure of material information, said the people familiar with the investigation. They said Equifax also was concerned that handing over access to its entire network, including international operations, as the FBI had requested, could run afoul of obligations in some countries where Equifax operates.

Around the middle of 2016, Equifax told its internal investigators to comply with any potential subpoenas but to stop proactively providing information to law enforcement, said the people familiar with the investigation.

The person familiar with Equifax who disputed the notion the company directed employees to be uncooperative said: “As the investigation progressed, we did ask that requests for information be passed through our legal office to ensure we were adhering to standard legal protocols.”

Equifax continued to monitor certain employees through 2016 and 2017. It eventually confronted several ethnically Chinese employees over activities found in its investigation, who left before the company took further action, according to people familiar with the probe.

FBI officials in Atlanta got the impression from Equifax’s then-CEO, Mr. Smith, and legal staff that the company didn’t believe it generally had information valuable enough to be the target of a major Chinese campaign.

Mr. Smith told colleagues even if thieves had taken code, they didn’t have Equifax’s consumer data, which meant the theft wouldn’t pose a competitive threat. Moreover, Equifax didn’t see a material impact on current operations because the information that appeared to have been stolen related to products in development, not to existing ones.

The U.S. attorney’s office in Atlanta ultimately determined it didn’t have evidence the suspected thefts were directed by the Chinese government, a top priority for law enforcement. The prosecutors decided they wouldn’t pursue a case against any individual, since Equifax wasn’t eager to do so, and since what former employees were suspected of taking was corporate information, rather than anything directly affecting U.S. consumers.

The U.S. attorney’s office declined to comment.

Then, in September 2017, came blockbuster news from Equifax: the disclosure that a hacking of its files had exposed highly sensitive personal data on more than 140 million Americans.

Equifax had learned six months earlier, in March 2017, of a software vulnerability, but waited months to fully check its encrypted traffic to see whether it had been breached. Only in July 2017 did Equifax realize the hack had exposed personal information, including Social Security numbers and dates of birth, of nearly half the U.S. population.

This delay was partially due to Equifax’s failure to resolve a dispute between its technology and information-security staffs at a time when top security people were focused on possible infiltration from China, in the opinion of some of the people familiar with the investigation.

The person familiar with Equifax’s thinking said the hack involved both human error and technological failure, and Equifax has been forthcoming about the causes.

In the weeks following the disclosure of that giant 2017 breach, Mr. Smith resigned, as did Ms. Mauldin and Equifax’s chief information officer, David Webb. All either couldn’t be reached or didn’t respond to requests for comment.

In January 2018, Chinese officials rolled out a state-backed credit-scoring company and gave Ant Financial an 8% stake.

Mr. Zou has returned to Canada. Ant transferred him from Sesame Credit to its Alipay international business unit in Hangzhou in mid-2017. On June 1 of this year, he moved to Alipay Canada in Vancouver.