Hackers backed by the Chinese government stole at least $20m from Covid-19 relief funds in the US, officials in Washington believe. Other countries such as the UK are likely to have been hit with similar attacks, a security researcher told Tech Monitor.
A Chinese APT group known as APT41 is behind the raid which saw at least $20m stolen, a US Secret Service spokesperson has told NBC.
The theft was uncovered as part of a wider investigation into pandemic funds fraud carried out by the US Secret Service, which announced on Friday that it had recovered $286m in Covid-19 relief funds.
Covid-19 relief funds targeted by Chinese hackers APT41
It is thought APT41 targeted small business administration loan money, designed to help companies get through the pandemic, and unemployment insurance funds in more than a dozen US states.
Though the US is the first company to report that its pandemic funds were targeted by international hackers, others are likely to follow says Allan Liska, cybersecurity lead at security company Recorded Future.
“There were a lot of funds that were sent out, and in many countries there wasn’t a lot of oversight,” Liska says. “Both cybercriminals and now nation-state actors were able to take advantage of that to redirect funds. The same thing will have happened in other countries as well.”
In February the UK government announced that up to £16bn was lost due to “fraud and error” in Covid-19 loan schemes. Some of this lost cash is likely to have been taken by cybercriminals, Liska says. “This would be right in line with the kind of thing that nation-state hackers, particularly from countries like North Korea, like to engage in, in order to steal funds,” he says. “We just haven’t seen the evidence yet.
Hackers could have easily used stolen data from the dark web to fake an application to one of the schemes, Liska adds. “Even if the governments had good cybersecurity practices in place, because there are so many stolen credentials that are available in underground markets, it would be really easy to fake a Covid application using someone else’s name,” he says.
Who are APT41?
Over the past seven years APT41, also known as BARIUM, has targeted countries in Europe, South East Asia and the US. It has been found to target political, economic and military organisations, according to a report from security company SOCRadar.
In 2020, the FBI released an international “most wanted” poster showing the faces of four indicted members of the group, who faced charges including racketeering, money laundering, fraud, identity theft and access device fraud.
These charges stem from hacking activities carried out while employed by Chengdu 404 Network Technology Company. According to the poster, “the defendants allegedly conducted supply chain attacks to gain unauthorised access to networks throughout the world, targeting hundreds of companies in Australia, Brazil, Germany, India, Japan and Sweden.”
The US Secret Service has told NBC that there are more than 1,000 ongoing investigations involving transnational criminal actors involving benefit scams, and that APT41 is a key player in this space.