Bayer pharmaceuticals hit with China-attributed malware

The initial attack occurred last year and featured a Trojan previously only used against video game companies

Bayer pharmaceuticals sign

German pharmaceutical giant Bayer has now removed a cyber threat it first detected last year, citing China as a likely culprit following an investigation, according to German broadcasters BR and NDR.

After discovering the threat, the company contained the threat and spent time monitoring and analysing it until the end of last month before finally removing it.

"Our Cyber Defense Center intentionally did not clean up the systems identified so as to be able to analyze potential communication with the hackers," a Bayer spokesperson told IT Pro. "These systems were cleaned up on the weekend of March 23/24 and according to our findings, the hackers did not seize the opportunity to export information during this time frame".

Bayer said there is no evidence of data theft, but the damage is still being assessed as the company works with Germany's cyber security organisation (DCSO) to investigate the incident. Third-party personal data was also safe from the attack, a spokesperson added.

The DCSO is a group launched by Bayer in 2015 in partnership with Allianz, BASF and Volkswagen and its the group that attributed the attack to the 'Wicked Panda' group believed to be China-based.

The name of the malware discovered is 'Winnti', according to Andreas Rohr of the DCSO speaking to Reuters. The malware allows its controller to remotely access a system and control it from outside of Bayer's walls.

What is Winnti?

The Winnti trojan has been circulating for many years with first sightings believed to be in 2010, according to a Kaspersky report. The report details the first version of the malware as one designed to steal digital certificates which would force a system to allow a hacker access to it and implant a backdoor enabling a remote administration tool (RAT) which would allow an attacker to assume control of the infected machine.

"The malicious module turned out to be the first Trojan for the 64-bit version of Microsoft Windows with a valid digital signature that we have seen," read the Kaspersky report. "We used to see similar cases before, but in all previous incidents we have seen digital signature abuse, there were only 32-bit applications."

What's strange is the group's pivot towards the pharmaceutical industry as the initial target was the video game space. It wasn't until 2015 that the malware was used to target pharmaceutical companies.

Although Kaspersky declined to comment on which company the target was at the time, it did confirm that it was " the well-known global pharmaceutical company headquartered in Europe", in a blog post.

Kaspersky believed that because of the repeated behaviour, the theft of many digital certificates, it was likely that the group "either had close contacts with other Chinese hacker groups or sold the certificates on the black market in China".

Winnti isn't new in Germany either, back in 2016 ThyssenKrupp, a German technology group fell victim to the malware and although Rohr declined to comment in detail about the Bayer case due to a non-disclosure agreement, he said he knew of at least five Winnti attacks in Germany.

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

Bank-targeting malware disguises itself as video conferencing software
Security

Bank-targeting malware disguises itself as video conferencing software

19 Oct 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
'NetWalker' ransomware explodes thanks to 'as a service' expansion
ransomware

'NetWalker' ransomware explodes thanks to 'as a service' expansion

4 Sep 2020
Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020

Most Popular

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020
What is phishing?
phishing

What is phishing?

25 Nov 2020
Microsoft Teams no longer works on Internet Explorer
Microsoft Office

Microsoft Teams no longer works on Internet Explorer

30 Nov 2020