Bloomberg Law
Free Newsletter Sign Up
Login
BROWSE
Bloomberg Law
Welcome
Login
Advanced Search Go
Free Newsletter Sign Up

Chinese Hackers’ Covid-Relief Fraud Expands Cyber Threats to US

Dec. 7, 2022, 8:40 PM

The US Secret Service allegation that a Chinese hacking organization stole tens of millions of dollars in US Covid-19 relief funds broadens the threats the nation and its citizens face from the cybercriminals, according to cybersecurity professionals and attorneys.

State-sponsored cyber threat group APT41 fraudulently obtained $20 million that was distributed as pandemic relief, the Secret Service told Bloomberg Law on Tuesday, confirming a report first published by NBC News.

The theft marks what’s believed to be the first time the group—best known for cyber espionage and financial crimes—has been publicly confirmed to have targeted US government funds. The money reportedly included Small Business Administration loans and unemployment insurance funds.

It also demonstrates APT41’s potential to defraud the US on a larger scale, given the depth of information it has collected on the American public, cybersecurity professionals and attorneys said.

It’s unclear whether authorities believe APT41 hacked into government systems or citizens’ personal accounts to obtain the Covid-relief funds, or if they tapped into already stolen data to engage in identity fraud. The Secret Service declined to provide additional details about the manner of the theft, noting that “with respect to a potentially ongoing investigation, we have no further publicly available information.”

Though it may be difficult for individual US citizens to imagine themselves as targets of a foreign nation like China, that exact risk is growing, said Robinson Cole LLP cybersecurity partner Linn Freedman.

“When you look at how many records they have, talk about massive fraud,” Freedman said. “If the Chinese-based hackers wanted to use that information for fraud, they would have a very easy time with that because they have it all.”

China’s Washington embassy did not respond to multiple telephone and email requests for comment.

Expanded Threat Horizon

While too few details are currently available to assess the security lapses that led to fraudulent activity linked to the relief funds, the theft is unlikely an isolated incident, said Mike Hamilton, the chief information security officer at cybersecurity firm Critical Insight.

Hamilton’s theory is that the theft was a “beta test” of APT41’s ability to defraud the US government and that the group simply targeted the most easily accessible funds.

Fintech companies contracted by the federal government to process pandemic payouts rushed through processing applications in pursuit of higher fees, which contributed to the fraud that occurred, according to a report by the US House Select Subcommittee on the Coronavirus Crisis published on Dec. 1.

The key issue at hand is the state-sponsored group’s ability to scale future fraud attempts via automated technology and troves of taxpayer data China is believed to have obtained after security breaches at credit bureau Equifax and the US Office of Personnel Management, Hamilton said. OPM houses all federal employee data.

The sophistication of groups like APT41 is high, according to Alexander Urbelis, a Crowell & Moring LLP senior counsel specializing in tracking cybersecurity threats. The same can be said of their cyberattacks.

“I think you need to derive China’s technical capabilities not on the basis of what we’ve seen them do in the past, but on the basis of what they have access to,” Urbelis said.

“When you combine data crunching together with machine learning, artificial intelligence, as well as advanced cyber adversary capabilities, you have a very dangerous and powerful adversary for the foreseeable future,” he said.

Paul Dant, the senior director of cybersecurity strategy at cybersecurity firm Illumio, said the fraud indicates that foreign threat actors have access to more US government systems than previously believed.

APT41 recently compromised at least six state government websites and exfiltrated personally identifiable information as part of a deliberate hacking campaign targeting states, according to a report published by cybersecurity firm Mandiant in March 2022.

Deterring Future Fraud

While the Secret Service reportedly has recovered over $10 million of the stolen pandemic relief funds, avenues for additional recourse appear limited, Freedman and Urbelis said.

Criminal conviction of any APT41 member involved in the theft would be challenging given tense diplomatic relationships, Freedman said.

Additionally, previous indictments of the organization’s members by the Justice Department went nowhere, Urbelis said.

More details on the tactics, techniques, and procedures APT41 employed in this case should be publicized by the Secret Service or other government entities investigating the theft to shore up security gaps and prevent future incursions, according to Urbelis.

The best proactive action the US government can take would be to identify and disrupt the networks that APT41 relied on—such as service providers—to access US systems, Urbelis said.

If the hackers engaged in identity fraud, for example, the government could shore up authentication requirements for citizens claiming relief funds, Hamilton said.

To contact the reporter on this story: Skye Witley at switley@bloombergindustry.com

To contact the editors responsible for this story: Jay-Anne B. Casuga at jcasuga@bloomberglaw.com; Tonia Moore at tmoore@bloombergindustry.com