Posted on December 14, 2022 at 6:12 PM
Hacking attacks targeting US COVID benefits have grown to be a common and well-documented occurrence at this point. However, all previous attacks were believed to be the work of rogue hacking organizations that were simply targeting easy money. Now, however, the US Secret Service shone a light on some of these attacks, noting that they were conducted by China’s state-backed hacking team known as Wicked Panda.
The Secret Service accused the group of stealing around $20 million since the start of the pandemic. The group, Wicked Panda, also known as APT41, has been active for over a decade now, with some of the earliest activities traced back to 2012. Apart from the theft accusations, Secret Service also noted that the primary mission of the attackers was espionage. This was concluded from the fact that the attacks were primarily targeting information that could be of use to China’s economic interests. However, that doesn’t mean that the hacking group didn’t conduct for-profit attacks from time to time.
Allegedly, the attackers managed to defraud a Small Business Administration loan programs, well as steal the unemployment insurance funds of more than a dozen states. For the time being, the exact figures remain unknown, as many of the states are still conducting audits of their Covid benefits. However, the authorities believe that fraud and theft have managed to compromise at least 20% of the total federal Covid benefits that were paid out.
There have been so many attacks and incidents that there are thousands of investigations going on at any given moment, so it will likely be a while before the precise damage assessment can be made.
It is also worth noting that fraud and theft on the state level may have been even worse than the federal level situation. However, due to the fact that the National Counterintelligence and Security Center is understaffed and underfunded, in a lot of cases, it is believed that the hackers really did not have to do much hacking to defraud the Covid benefits program.
The big question involving Wicked Panda is whether the group acted on the Chinese government’s orders or were the thefts the part of the group’s own independent activities. After all, it is believed that the group originated as an independent entity in 2012 when it focused on hacking online video games and conducting fraud in similar environments. However, given its success in conducting attacks, it likely wasn’t long before it attracted the attention of the government.
Since then, Wicked Panda has grown to be quite unique, even among other APT groups, as not all of its attacks involve espionage. Some, such as Covid benefits attacks, seem to be purely financial schemes, indicating that the group does operate with at least partial independence.
Of course, the espionage part of their activities is still a real threat. In fact, an online security company called Mandiant managed to find long-term backdoors into six state governments, and those include only the ones that were identified. The group used the backdoors to steal personal information from the governments, and it was spotted interacting with the state unemployment systems at least twice in 2021, presumably as part of the campaign to steal Covid benefits.
In an attempt to fight back against spy hackers, the US authorities managed to identify several members of the group. These individuals were indicted for espionage against US companies in 2019 and 2020, but for now, they remain in China, far from the law enforcement agencies of the US.
Regarding the Covid funds specifically, the Secret Service believes that attacks and thefts started in mid-2020. Chinese hackers presumably made over 40,000 transactions by using more than 2,000 accounts. The scheme that they used was not revealed by the US authorities, but it is possible that the data stolen in the Equifax breach of 2017 had a role to play in new attacks.
At this point, Cerberus Sentinel’s biometrics specialist, Sami Elhini, says that the failure to protect Covid benefits should be taken as a hint that it is time to review the cybersecurity policy for the US government services.