Cyber Incident Victim: Small Business Administration
Date:
Jun 2020
Location:
United States of America
Summary
A Chinese state-sponsored hacking group stole millions from U.S. COVID-relief funds by targeting the Small Business Administration and unemployment programs across multiple states. The attackers compromised thousands of accounts linked to tens of thousands of transactions, with losses potentially far exceeding confirmed amounts due to widespread fraud in public benefits systems. While half the stolen funds were recovered, broader assessments indicated significant improper payments within pandemic aid distributions. The group, known for blending cyberespionage tactics with personal profit schemes, conducted the campaign during the pandemic, impacting numerous financial systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2020, the Chinese state-sponsored advanced persistent threat group APT41 conducted a cyber campaign targeting U.S. COVID-19 relief funds administered by the Small Business Administration (SBA) and state unemployment insurance programs. The group, based in Chengdu, compromised accounts associated with SBA loans and unemployment benefits across more than 12 states, executing over 40,000 fraudulent financial transactions. The U.S. Secret Service attributed at least $20 million in stolen funds directly to this operation, though officials acknowledged the actual scale likely extended beyond documented cases. Roy Dotson, the Secret Service's national pandemic fraud recovery coordinator, indicated APT41 likely targeted all 50 states given their operational reach. The theft represented the first publicly confirmed instance of a nation-state actor systematically diverting pandemic relief funds through cyber intrusions. APT41 leveraged tools and techniques typically associated with espionage operations, consistent with their historical pattern of blending state-sponsored activities with financially motivated crimes.
The Secret Service initiated recovery efforts that reclaimed approximately $10 million of the stolen $20 million by December 2022, while simultaneously pursuing over 1,000 open investigations into pandemic-related benefit fraud. A separate Labor Department Office of Inspector General analysis of four states revealed broader systemic vulnerabilities, finding 19% of $872.5 billion in federal pandemic unemployment funds—amounting to roughly $165 billion—were improperly distributed due to fraud or errors. APT41's involvement aligned with their established modus operandi documented by FireEye in 2019, when the group conducted ransomware attacks against gaming companies and cryptocurrency thefts for personal profit alongside state-aligned espionage. The incident exposed significant security gaps in emergency relief disbursement systems and underscored APT41's dual motives as both a state-sponsored entity and a financially driven criminal enterprise. Federal investigators did not publicly confirm whether Chinese authorities directly sanctioned the thefts or tacitly permitted the group's activities.