Botnets, Telegram Helped Criminals Steal $163B in COVID Aid
Sophisticated and relentless cyberattacks facilitated the theft of $163 billion in government funds intended to support U.S. citizens and businesses during the COVID-19 pandemic.
The news, first reported in the Washington Post, reported cybercriminals deployed botnets to flood COVID-19 aid applications and used the messaging app Telegram to share successful tactics with multiple messaging groups boasting hundreds of thousands of members.
These messaging apps were also used to help malicious actors find more information about how to use already stolen personal information, according to the report, which was based on testimony from a congressional hearing held earlier this year by the U.S. Department of Labor.
Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, pointed out that the actual dollar amounts involved—$163 billion out of $5 trillion in total COVID-19 aid—represented about 3.26% of the total, which is around the average for other forms of social spending fraud (in 2019 the SNAP program had a 7.36% error rate for payments).
COVID-19 Funds Made a Tempting Target
“Cybercriminals, whether through ransomware-as-a-service like the Conti ransomware gang, billions of individual credentials available on the dark web, or the theft of COVID-19 aid program money, are both sophisticated and focused,” he said. “They go where the money is and will use automation where possible.”
He added the combination of readily available personal information, automated systems for filing COVID-19 aid claims and the urgency to pay claimants during a crisis were all contributing factors to the use of botnets in perpetrating fraud at this scale.
Andrew Barratt, vice president at Coalfire, a provider of cybersecurity advisory services, pointed out the $163 billion also included overpayments to folks who may have incorrectly filled out details, as well as some who may have just claimed excessively.
“What this does do, in very real terms, is show just how valuable identity information is when there is a crisis,” he said. “Most of the fraudulent claims were probably done using stolen identity information.”
The Criminal Cloud
He explained that, in some ways, the best way to think about botnets is as the ‘criminal cloud,’ stacked with already-compromised computers that can be used for all kinds of malicious activity with entry points across the country and around the world.
“These malicious actors probably crafted malware specifically to take advantage of the application process and leveraged Telegram or other messaging services to coordinate, or even to manage, Captcha entry by small teams they’ll have paid to do the responses,” Barratt said.
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explained that botnets are a convenient amplifier for the attacker’s aims.
“It lets them send thousands of requests in moments, rather than the tens they might be able to do using their own local systems,” he said. “Using botnets for this kind of volume is relatively common when an attacker wants to overwhelm their target.”
Government Target, Local Impact
Parkin said these efforts show a coordinated criminal effort to defraud the government but with an impact on innocent victims across the country. He added that while the “actual” loss is concerning, the percentage lost to these fraudulent claims might be even more disturbing; from Parkin’s perspective, authorities have multiple technical and intelligence tools at their disposal that could help blunt these instances.
The challenge is getting them deployed quickly enough when the system itself goes from inception to deployment without a lot of time to make sure all the compensating controls and required monitoring are in place.
“Hopefully, this will serve as a reminder to take the required time to make sure the system works as intended and isn’t subject to such rampant fraud,” he said. “Jokes about government waste aside, this is a real issue.”
Broomhead noted that, like all technology, the dark web, Telegram and other platforms that provide anonymity have the potential to be used for both good and malicious purposes.
“Shutting down or monitoring such platforms is not an option,” he said. “Stopping botnets and providing more advanced authentication mechanisms for identity will be more effective.”
Parkin agreed that applications like Telegram are a challenge, noting while there is a case to be made for allowing law enforcement access to these platforms, that access must be weighed against the overwhelming privacy concerns for most users who are innocent of any wrongdoing.
“However, the relevant authorities already have a view into many of these criminal communities through conventional intelligence means,” he said. “It remains for them to use that intelligence to move against the criminal threat actors.”
Barratt’s view, however, was that, in reality, there was probably very little that could have been done to reduce the level of malicious activity.
He pointed out the theft of COVID-19 aid wasn’t a compromise of the government systems, and any rate control or application velocity management (whereby the throughput of criminal activity could be detected) will have been insignificant when compared with the huge amounts distributed to those with legitimate needs.
“What it really shows, though, is why legislation that is punitive to those who lose large amounts of personal data is needed—like we’re starting to see in Europe with GDPR and the state spin-offs in the U.S.,” he said. “That would go some way to buffering the losses the federal government suffers when that information is stolen and used by criminals.”
The challenge when trying to address use cases like this, he added, is that you get to a point where it’s very hard to determine whether an application is being submitted correctly by the correct person or correctly by someone who has all the correct information and can pass themselves off as the correct person.
“Scaling out a mass identity check probably would have added a significant cost to this and also has some political and philosophical challenges about whether that’s the right way to handle the situation,” Barratt said.
