Chinese-linked hackers, dubbed APT41, have swiped more than $20 million in money targeted for U.S. Covid relief, the Secret Service told NBC News.
Hackers Hit 12 U.S. States
The heists have taken place in more than a dozen states, agency officials told the news outlet, and span Small Business Administration loans and unemployment benefits. It is said to be the first publicly acknowledged incident in which nation-state affiliated cyber attackers have gone after pandemic-related money.
The Covid-19 fraud scheme that the Secret Service has publicly linked to the Chengdu-based APT41 (aka Winnti, Barium and Wicked Panda) began in mid-2020 and spanned 2,000 accounts associated with more than 40,000 financial transactions, NBC said.
The Secret Service said it has recovered about half of the stolen $20 million in the APT41 case. Earlier this summer, the agency said it had clawed back some $286 million in stolen pandemic funds, a small fraction of the billions believed to have been lifted by cyber actors.
Research Labs Targeted
In the first year of the pandemic, Chinese and Russian hackers infiltrated a number of labs and research facilities that were developing vaccines in what appeared to be an espionage operation searching for intellectual property. Some academic facilities were also raided. But those incidents differ markedly from this activity in that federal law enforcement considers these latest infiltrations “dangerous,” a Justice Department agent told NBC.
It’s not known if the Chinese government has directly sponsored the crew or “simply looked the other way,” the report said. One U.S. official said that APT41 is among a number of cyber groups in hundreds of open investigations involving domestic and transnational cyber gangs to steal public benefits.
Secret Service officials described Wicked Panda to NBC as “highly adept at conducting espionage missions and financial crimes for personal gain.” Five of Wicked Panda's operatives are currently under federal indictment but they have not be extradited and remain at large.
U.S. federal officials fully expect the campaign will cover the entire country. “It would be crazy to think this group didn’t target all 50 states,” Roy Dotson, national pandemic fraud recovery coordinator for the Secret Service, who also acts as a liaison to other federal agencies probing Covid fraud, told NBC. A senior Justice Department official called it “dangerous” and said it had serious national security implications.
What's Wicked Panda Up To?
Wicked Panda has reportedly been siphoning troves of intellectual property and other data from dozens of manufacturers in North America, Europe and Asia across multiple critical industries over the past three years, according to a recent investigation by Cybereason, a provider of extended detection and response services.
During its examination, Cybereason discovered that the gang conducted Operation CuckooBees undetected since at least 2019. The most “alarming revelation” is that the companies weren’t aware they were breached.
The heist gave Winnti “unfiltered access” to blueprints, sensitive diagrams and other proprietary data,” Cybereason said. Winnti has been active since at least 2010 and is linked to attacks on dozens of U.S. companies.
Cybereason based its conclusions on forensic artifacts of Winnti intrusions, the company said.