6 December 2022

Chinese hackers reportedly stole at least $20M in US Covid benefits


Chinese hackers reportedly stole at least $20M in US Covid benefits

Threat actors working on behalf the Chinese government reportedly have stolen tens of millions of dollars in US Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states, since 2020, the US Secret Service revealed.

The agency has confirmed a report from NBC News that said that the hacker group believed to be behind the thefts is a China-linked threat actor tracked by the cybersecurity community as APT41.

Also known as Barium, Winnti, Wicked Panda, Wicked Spider, Axiom, Lead, or BlackFly, this APT is one of the most prolific state-sponsored groups linked to the Chinese government. Active since at least 2010, the threat actor is believed to be behind malicious campaigns aimed at a wide variety of sectors, including the healthcare, pharmaceutical, telecommunications, and video game industries across multiple countries, including the US, Japan, South Korea, India, Australia, and the UK.

Several members of APT41 were indicted in 2019 and 2020 by the US Department of Justice for spying on over 100 companies, including software development companies, telecommunications providers, social media firms, and video game developers. 

The theft of taxpayer funds by the Chinese hackers is the first instance of pandemic fraud tied to foreign, state-sponsored cybercriminals that the US government has acknowledged publicly, NBC noted. However, the Secret Service did not share the details about the scope of other investigations, saying there are more than 1,000 ongoing investigations involving transnational and domestic criminal actors defrauding public benefits programs, and APT41 is “a notable player.”


Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023