Hackers linked to the Chinese government stole at least $20 million in U.S. Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states, according to the Secret Service.
The theft of taxpayer funds by the Chengdu-based hacking group known as APT41 is the first instance of pandemic fraud tied to foreign, state-sponsored cybercriminals that the U.S. government has acknowledged publicly, but may just be the tip of the iceberg, according to U.S. law enforcement officials and cybersecurity experts.
The officials and experts, most speaking on the condition of anonymity because of the sensitivity of the subject matter, say other federal investigations of pandemic fraud also seem to point back to foreign state-affiliated hackers.
“It would be crazy to think this group didn’t target all 50 states,” said Roy Dotson, national pandemic fraud recovery coordinator for the Secret Service, who also acts as a liaison to other federal agencies probing Covid fraud.
The Secret Service declined to confirm the scope of other investigations, saying there are more than 1,000 ongoing investigations involving transnational and domestic criminal actors defrauding public benefits programs, and APT41 is “a notable player.”
And whether the Chinese government directed APT41 to loot U.S. taxpayer funds or simply looked the other way, multiple current and former U.S. officials say, the theft itself is a troubling development that raises the stakes. One senior Justice Department official called it “dangerous” and said it had serious national security implications.
“I’ve never seen them target government money before,” said John Hultquist, the head of intelligence analysis at the cybersecurity firm Mandiant. “That would be an escalation.”
The Chinese Embassy in Washington did not respond to requests for comment.
As soon as state governments began disbursing Covid unemployment funds in 2020, cybercriminals began to siphon off a significant percentage.
The Labor Department Office of Inspector General has reported an improper payment rate of roughly 20% for the $872.5 billion in federal pandemic unemployment funds, though the true cost of the fraud is likely higher, administration officials from multiple agencies say.
In-depth analysis of four states showed 42.4% of pandemic benefits were paid improperly in the first six months, the department’s watchdog reported to Congress last week.
A Heritage Foundation analysis of Labor Department data estimated excess unemployment benefits payments of more than $350 billion from April 2020 to May 2021.
“Whether it’s 350, 400 or 500 billion, at this point, the horse is out of the barn,” said Linda Miller, the former deputy executive director of the Pandemic Response Accountability Committee, the federal government’s Covid relief fraud watchdog.
By the time Covid relief funds appeared as a target of opportunity in 2020, APT41, which emerged more than a decade ago, had already become the “workhorse” of cyberespionage operations that benefit the Chinese government, according to cyber experts and current and former officials from multiple agencies. The Secret Service said in a statement that it considers APT41 a “Chinese state-sponsored, cyberthreat group that is highly adept at conducting espionage missions and financial crimes for personal gain.”
Ambassador Nathaniel Fick, the head of the State Department’s Bureau of Cyberspace and Digital Policy, said cyberespionage is a long-time Chinese national priority aimed at strengthening its geopolitical position.
“The United States is target No. 1, because we are competitor No. 1,” Fick told NBC News. “It’s a really comprehensive, multi-decade, well-considered, well-resourced, well-planned, well-executed strategy.”
American officials have blamed Chinese hackers for the Office of Personnel Management, the Anthem Health and the Equifax breaches, among others.