Bayer pharmaceuticals hit with China-attributed malware

The initial attack occurred last year and featured a Trojan previously only used against video game companies

Bayer pharmaceuticals sign

German pharmaceutical giant Bayer has now removed a cyber threat it first detected last year, citing China as a likely culprit following an investigation, according to German broadcasters BR and NDR.

After discovering the threat, the company contained the threat and spent time monitoring and analysing it until the end of last month before finally removing it.

"Our Cyber Defense Center intentionally did not clean up the systems identified so as to be able to analyze potential communication with the hackers," a Bayer spokesperson told IT Pro. "These systems were cleaned up on the weekend of March 23/24 and according to our findings, the hackers did not seize the opportunity to export information during this time frame".

Bayer said there is no evidence of data theft, but the damage is still being assessed as the company works with Germany's cyber security organisation (DCSO) to investigate the incident. Third-party personal data was also safe from the attack, a spokesperson added.

The DCSO is a group launched by Bayer in 2015 in partnership with Allianz, BASF and Volkswagen and its the group that attributed the attack to the 'Wicked Panda' group believed to be China-based.

The name of the malware discovered is 'Winnti', according to Andreas Rohr of the DCSO speaking to Reuters. The malware allows its controller to remotely access a system and control it from outside of Bayer's walls.

What is Winnti?

The Winnti trojan has been circulating for many years with first sightings believed to be in 2010, according to a Kaspersky report. The report details the first version of the malware as one designed to steal digital certificates which would force a system to allow a hacker access to it and implant a backdoor enabling a remote administration tool (RAT) which would allow an attacker to assume control of the infected machine.

"The malicious module turned out to be the first Trojan for the 64-bit version of Microsoft Windows with a valid digital signature that we have seen," read the Kaspersky report. "We used to see similar cases before, but in all previous incidents we have seen digital signature abuse, there were only 32-bit applications."

What's strange is the group's pivot towards the pharmaceutical industry as the initial target was the video game space. It wasn't until 2015 that the malware was used to target pharmaceutical companies.

Although Kaspersky declined to comment on which company the target was at the time, it did confirm that it was " the well-known global pharmaceutical company headquartered in Europe", in a blog post.

Kaspersky believed that because of the repeated behaviour, the theft of many digital certificates, it was likely that the group "either had close contacts with other Chinese hacker groups or sold the certificates on the black market in China".

Winnti isn't new in Germany either, back in 2016 ThyssenKrupp, a German technology group fell victim to the malware and although Rohr declined to comment in detail about the Bayer case due to a non-disclosure agreement, he said he knew of at least five Winnti attacks in Germany.

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

MacBook users warned against EvilQuest ransomware
ransomware

MacBook users warned against EvilQuest ransomware

19 Feb 2021
Agent Tesla malware evades security controls to infect systems
malware

Agent Tesla malware evades security controls to infect systems

3 Feb 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Android malware vendor teams with marketer to promote new malware
malware

Android malware vendor teams with marketer to promote new malware

11 Jan 2021

Most Popular

Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021
Hackers publish Bombardier data in wide-reaching FTA cyber attack
cyber attacks

Hackers publish Bombardier data in wide-reaching FTA cyber attack

24 Feb 2021
New monitors for an agile new normal
Sponsored

New monitors for an agile new normal

19 Feb 2021