China flag on screen with program code showing Chinese hackers APT group steal Covid benefits

Millions of Dollars in Covid Benefits Likely Stolen by Chinese Hackers, Says US Secret Service

Foreign theft of US Covid benefits is a well-documented issue at this point, but to date most of this was presumed to be the work of independent criminal organizations. The Secret Service is now pointing the finger at state-backed Chinese hackers, accusing a known advanced persistent threat group of stealing about $20 million during the pandemic.

The group of Chinese hackers in question, known as “Wicked Panda” or APT41, has been in action since at least 2012. The hackers have a primary mission of espionage and spend most of their time chasing information pertinent to China’s economic interests, but have also been known to engage in occasional for-profit financial crimes.

Chinese hackers made off with $20 million in Covid relief funds, about half recovered

The Chinese hackers reportedly defrauded a Small Business Administration loan program and the unemployment insurance funds of over a dozen states. The full damage is not completely clear as individual states continue with ongoing audits of their Covid benefits. In total, fraud and theft is thought to comprise at least 20% of the total federal Covid benefits paid out, but the true number remains unknown as thousands of investigations continue.

State-level fraud and theft may have been even worse than what happened at the federal level. The Office of the Inspector General recently issued a report that found “likely fraudulent” claims were paid 60.5% of the time in four states prior to September 30, 2020. This tracks with assessments by the National Counterintelligence and Security Center that state government IT departments tend to be underfunded and understaffed, though the Chinese hackers may not have even needed to do any real hacking to defraud the Covid benefits programs.

There is some question as to whether the attackers stole funds at the behest of the Chinese government, however. APT41 is thought to have originated in 2012 as an independent group that focused on hacking and financial fraud in online video games, and was likely recruited by the state on the basis of their initial for-profit activities. The group is unique among China’s multiple known APT groups in periodically being involved in financial schemes rather than espionage, suggesting that it independently gets up to its old tricks for personal profit when it sees an opportunity.

Cybersecurity firm Mandiant had previously found that APT41 had long-term backdoors into at least six state governments, and has been actively exfiltrating personal information. On at least two occasions in 2021, the group was spotted interacting with state unemployment systems that would have been used to handle Covid benefits. It is unclear if the group retained this access after it was discovered in 2021, or managed to work its way back in ahead of the benefits fraud.

Several members of APT41 were identified by US authorities and indicted in 2019 and 2020 for espionage against American companies, but they are thought to be in China and will remain out of reach of law enforcement.

Over $100 billion in total Covid benefits fraud, number likely to grow

The Secret Service believes the Chinese hackers began stealing Covid funds around mid-2020, and made use of about 2,000 accounts that made about 40,000 transactions in total. The agency released little in the way of details about how the scheme unfolded, but APT41 is the group thought to be responsible for the Equifax breach of 2017 that saw credit information for most American adults stolen; it is possible that Social Security numbers and other elements taken in this breach were used to execute the fraud at the scale of tens of millions of dollars.

Erich Kron, security awareness advocate at KnowBe4, notes that the group would have been well-positioned to execute such a scheme given the information it has been gathering for nearly a decade now: “While unfortunate, this news should not come as a shock to people familiar with nation-state level cybercrime. Big money is at stake in the modern cybercrime game and government programs funded with billions of dollars are never going to be off the table. Given the information that has been collected on US citizens by China over the years, fraudulently filing for benefits is far from difficult. The US government has a responsibility to protect our tax dollars from fraud and abuse, unfortunately it seems in at least this case, it has failed to anticipate this outcome.”

APT41 has a long history of for-profit cyber antics, including regular widespread scanning for vulnerabilities and attempts to make use of the Log4Shell vulnerability to penetrate targets. It has deployed ransomware on at least several occasions to make money from victims, but has avoided targets in China with the exception of those participating in the illegal gambling industry (going on a rash of raids of such companies in 2021). The Chinese hackers have been named “Double Dragon” by FireEye because of the group’s dual focus on moneymaking and CCP-oriented espionage; the researchers also note that its for-profit schemes usually take place during late night hours in the Chinese city where they are thought to be based, further supporting the theory that the group freelances for money as a sideline to its main gig as a state espionage actor.

Sami Elhini, biometrics specialist at Cerberus Sentinel, sees the widespread failure to protect Covid benefits as a call for a major review of cybersecurity policy for all government services:

“What can be done? I believe this must start with policy. What is the minimum level of identity assurance that’s required to receive a government service? Will everybody be happy about this? Absolutely not, however, this requires balancing those who might be harmed by limited access to services with those who are harmed by cybercrime. Next, if a municipal government interacts with the federal government there needs to be minimum standards of security in place which includes but is not limited to policy, implementation, validation, analysis and remediation. The reason is that a chain is only as strong as its weakest link. Ultimately this is a multifaceted problem that deals with identity assurance, information assurance and policy. Our leaders and representatives need to mandate and enforce policies that protect our citizens, institutions, and critical infrastructure. If we don’t act swiftly and resolutely, I assure you, we have only seen the tip of an iceberg that pales the sinking of The Titanic in comparison.”