Bayer Confirmed It’s Investigating a Cyber Attack by Winnti

• Bayer has suffered a corporate network infection for an unknown period of time.
• The company traced signs of Winnti presence, a notorious Chinese hacking group.
• The Germans think the activity is part of China’s plan on industrial espionage, as they are striving to catch up quickly.

Bayer AG, the Leverkusen-based pharmaceutical giant who employs about 100 thousand people and has a revenue of 35 billion Euros, has confirmed that they are investigating an infection on their systems, which they managed to eradicate at the end of last month. The company claims that the first signs are positive, as there is no evidence of data theft, but the damage is still under assessment so there can be no definitive deductions yet. According to the first reports, the hacking group responsible behind the attack is likely to be the Chinese “Winnti”, as the investigators found traces of the custom trojan that is used by the particular APT group.

Winnti started out in 2011 by targeting gaming companies, but the group was quick to update their malware and launch attacks to a broader scale and range. The first time they hit a pharmaceutical organization was back in 2015, which was later revealed to be “Dax Group ThyssenKrupp”. Bayer announced that the first signs of Winnti infections were detected by their IT teams as early as in January 2018, but they were so far unable to determine the actual point in time when their corporate network was compromised initially.

Many claims that Winnti’s cyber-espionage activities are supported by the Chinese state, and while this is likely, the possibility of the group acting as an independent information-seller cannot be ruled out either. The value of “big-pharma” data is particularly high, as there’s no global information-sharing platform in a world where we choose to patent genomes instead of collaborating to speed up the research for cures. The sample of the Winnti rootkit that was analyzed in the 2015 attacks revealed that it was using a signed certificate that was assigned to a Japanese holding group involved in the research and development of medical products and drugs. With Bayer acquiring Monsanto last year, they automatically became the world’s largest genetically modified crops and pesticides seller. This means that the pharmaceutical giant became even more valuable in the eyes of cyber-espionage hackers.

From its early days, Winnti was probably not limited to a strict and defined sponsor, but likely developed in the underground and used for financial gain. However, this use changed, likely via people changing roles and affiliations and taking their tools with them. 2/n

— Timo Steffens (@Timo_Steffens) April 4, 2019

Right now the investigation is still ongoing, with Bayer enjoying the help and contribution of the German Cyber Security Organization. The first results indicate that there is more than one machine in the company’s network that was infected by Winnti, so the attack is considered targeted, and Bayer has already filed criminal charges. Bundestag sources claim certainty about this all being part of China-orchestrated industrial espionage, as there has been a surge of attacks on smaller and highly-specialized niche companies in Germany who can’t afford large IT teams, all of which pointing to China.

Feel free to share your thoughts in the comments section below, and don’t hesitate to join the discussions on our socials as well, on Facebook and Twitter.