Chinese government-linked hackers stole at least $20 million in US Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in more than a dozen states , according to the Secret Service.
The theft of taxpayers’ money by the Chengdu-based hacking group known as APT41 is the first case of pandemic fraud linked to foreign state-sponsored cybercriminals that the US government has publicly acknowledged, but which could be just the tip of the iceberg, according to US law enforcement officials and cybersecurity experts.
Officials and experts, most speaking on condition of anonymity due to the sensitivity of the topic, say other federal pandemic fraud investigations also appear to point to hackers affiliated with foreign states. .
“It would be crazy to think that this group didn’t target all 50 states,” said Roy Dotson, National Pandemic Enforcement Coordinator for the Secret Service, who also acts as a liaison with d Other Federal Agencies Investigating Pandemic Fraud.
The Secret Service declined to confirm the scope of the other investigations, except to say that there are more than 1,000 ongoing investigations involving transnational and domestic criminal actors defrauding public benefit programs, and APT41 is “a notable actor “.
And whether or not the Chinese government ordered APT41 to plunder US taxpayer funds or simply looked the other way, several current and former US officials say the fact of the theft itself is a troubling development that raises the stakes. A senior Justice Department official called it “dangerous” and said it had serious national security implications.
“I’ve never seen them target government money before,” said John Hultquist, head of intelligence analysis at cybersecurity firm Mandiant. “That would be an escalation.”
The Chinese Embassy in Washington did not respond to requests for comment.
“The horse came out of the stable”
As soon as state governments started disbursing Covid unemployment funds in 2020, cybercriminals started siphoning off a large percentage.
The Labor Department reported an improper payment rate of about 20% for the $872.5 billion in federal pandemic unemployment funds, though the true cost of the fraud is likely higher, officials say administration of several agencies.
An in-depth analysis of four states showed that 42.4% of pandemic benefits were paid improperly in the first six months, the department’s congressional watchdog reported last week.
A Heritage Foundation analysis of Department of Labor data estimated excess unemployment benefit payments at more than $350 billion between April 2020 and May 2021.
“Whether it’s 350, 400 or 500 billion, at this point the horse is out of the barn,” said Linda Miller, former deputy executive director of the Pandemic Response Accountability Committee, the federal government’s watchdog against Covid relief fraud.
By the time Covid relief funds emerged as a target of opportunity in 2020, APT41, which emerged more than a decade ago, had already become the ‘workhorse’ of cyber espionage operations that benefit the government Chinese, according to current and former cyber and cyber experts. officials from several agencies. The Secret Service said in a statement that they consider APT41 to be a “Chinese state-sponsored cyber threat group highly adept at carrying out espionage missions and financial crimes for personal gain.
Ambassador Nathaniel Fick, head of the State Department’s Bureau of Cyberspace and Digital Policy, said cyber espionage is a longstanding Chinese national priority aimed at bolstering its geopolitical position.
“The United States is the number one target, because we are the number one competitor.” Fick told NBC News. “It’s a really comprehensive, multi-decade, well-thought-out, well-funded, well-planned and well-executed strategy.”
US officials blamed Chinese actors for the Office of Personnel Management breach, Anthem Health breach, and Equifax breach, among others.
Experts and officials describe China’s model of “state-sponsored” hackers as a network of semi-independent groups doing contract work in the service of government espionage. The Chinese government can order a hacking group to attack a certain target. APT41, also known to cybersecurity firms as Winnti, Barium and Wicked Panda, fits the pattern and is considered a particularly prolific Chinese intelligence asset known to commit financial crimes on the side.
Demian Ahn, a former assistant US attorney who indicted five APT41 hackers in 2019 and 2020, said evidence showed APT41 had enormous reach and resources. The defendants, who were accused of infiltrating governments and corporations around the world while carrying out ransomware and cryptocurrency mining attacks, spoke of “having tens of thousands of machines at a time , as part of their efforts to obtain information about others, and also to generate criminal profits.None of the five Chinese nationals charged has been extradited and the cases remain open.
APT41’s intrusion methods include hacking legitimate software and weaponizing it against innocent users, including corporations and governments. Another tactic is to follow public disclosures about security flaws in legitimate software. APT41 uses this information to target customers who do not immediately update their software, according to a former Justice Department official familiar with the group.
According to experts and officials, the primary purpose of APT41’s state-directed activity is to collect personally-identifying information and data about US citizens, institutions and businesses that can be used by China for espionage purposes.
“They have the patience, the sophistication and the resources to perform hacks that directly impact national security,” said a former Justice Department official familiar with the group.
Law enforcement officials and counterintelligence experts have testified before Congress that currently every American adult has had all or most of their personal data stolen by the Chinese government.
Beijing has increasingly focused on breaching US critical infrastructure in recent years, according to current and former officials and China and cybersecurity experts, with global campaigns led by APT41.
China’s targets include state governments, which may have inadequate cybersecurity defenses. “State governments don’t allocate a lot of money to cyber protection of their state IT infrastructure,” said William Evanina, the former director of the National Center for Counterintelligence and Security, which is part of the Bureau. of the Director of National Intelligence. “So it really is an unprotected Wild West.”
The Covid fraud scheme that the Secret Service has publicly linked to APT41 began in mid-2020 and covered 2,000 accounts associated with over 40,000 financial transactions.
“Where their sophistication comes into play is the ability to work heavy and fast,” Dotson of the Secret Service said.
The agency said it was able to recover about half of the stolen $20 million.
But while Evanina and other officials and experts view APT41’s breach of state systems as a national security concern, they are not convinced the theft of Covid funds was a Chinese government objective. Such thefts increase the risk of criminal prosecution and make it harder for China to obscure the role of the state. They believe that the Chinese government may have simply tolerated hackers profiting from their work.
Many believe that hackers are still inside state computer systems.
Mandiant, which contracts with more than 75 state and local government organizations and agencies, released a report in March that APT41 had infiltrated six state governments — and likely more — using backdoors in popular software and exfiltrate data on citizens.
Hultquist told NBC News that Mandiant analysts uncovered at least two occasions involving interactions with servers associated with state benefits after May 2021.
Current officials would not say whether APT41 still had access to state government networks after being discovered last year.
The Department of Labor, the Small Business Administration, the Cybersecurity and Infrastructure Security Agency and the White House all declined to comment and referred NBC News to the DOJ. The FBI and DOJ declined to comment. The Department of Homeland Security did not respond to requests for comment.
But Evanina said: “Once you are in these systems with the intention of enacting the theft of PII [Personally Identifying Information], you are forever,” noting that at the state and local level, many disparate systems share an interconnected domain. “Unless,” he said, “you destroy the systems and replace everything.”
State agencies across the country continue to battle invisible online attackers, many of whom lack the funding and expertise to secure their online delivery systems.
“If we can get together and really have open, honest conversations about what’s been working well and what’s gone really badly, we’d just be in a much better place to stop this,” Maryland’s labor secretary said. , Tiffany Robinson, who said her state’s system is still bogged down by thousands of fraudulent claims and phone calls each week. “Because it’s not over.”
Federal officials acknowledge that they are far from fully accounting for what really happened to benefit programs during the pandemic.
“Many of these criminals we will never be able to charge and locate,” said a federal law enforcement official with direct knowledge of fraud investigations involving China-based hackers. “With the Internet and the dark web, it’s borderless.”