Bayer pharmaceuticals hit with China-attributed malware

The initial attack occurred last year and featured a Trojan previously only used against video game companies

Bayer pharmaceuticals sign

German pharmaceutical giant Bayer has now removed a cyber threat it first detected last year, citing China as a likely culprit following an investigation, according to German broadcasters BR and NDR.

After discovering the threat, the company contained the threat and spent time monitoring and analysing it until the end of last month before finally removing it.

"Our Cyber Defense Center intentionally did not clean up the systems identified so as to be able to analyze potential communication with the hackers," a Bayer spokesperson told IT Pro. "These systems were cleaned up on the weekend of March 23/24 and according to our findings, the hackers did not seize the opportunity to export information during this time frame".

Bayer said there is no evidence of data theft, but the damage is still being assessed as the company works with Germany's cyber security organisation (DCSO) to investigate the incident. Third-party personal data was also safe from the attack, a spokesperson added.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The DCSO is a group launched by Bayer in 2015 in partnership with Allianz, BASF and Volkswagen and its the group that attributed the attack to the 'Wicked Panda' group believed to be China-based.

The name of the malware discovered is 'Winnti', according to Andreas Rohr of the DCSO speaking to Reuters. The malware allows its controller to remotely access a system and control it from outside of Bayer's walls.

What is Winnti?

The Winnti trojan has been circulating for many years with first sightings believed to be in 2010, according to a Kaspersky report. The report details the first version of the malware as one designed to steal digital certificates which would force a system to allow a hacker access to it and implant a backdoor enabling a remote administration tool (RAT) which would allow an attacker to assume control of the infected machine.

"The malicious module turned out to be the first Trojan for the 64-bit version of Microsoft Windows with a valid digital signature that we have seen," read the Kaspersky report. "We used to see similar cases before, but in all previous incidents we have seen digital signature abuse, there were only 32-bit applications."

What's strange is the group's pivot towards the pharmaceutical industry as the initial target was the video game space. It wasn't until 2015 that the malware was used to target pharmaceutical companies.

Although Kaspersky declined to comment on which company the target was at the time, it did confirm that it was " the well-known global pharmaceutical company headquartered in Europe", in a blog post.

Advertisement - Article continues below

Kaspersky believed that because of the repeated behaviour, the theft of many digital certificates, it was likely that the group "either had close contacts with other Chinese hacker groups or sold the certificates on the black market in China".

Winnti isn't new in Germany either, back in 2016 ThyssenKrupp, a German technology group fell victim to the malware and although Rohr declined to comment in detail about the Bayer case due to a non-disclosure agreement, he said he knew of at least five Winnti attacks in Germany.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020