Bayer pharmaceuticals hit with China-attributed malware

The initial attack occurred last year and featured a Trojan previously only used against video game companies

Bayer pharmaceuticals sign

German pharmaceutical giant Bayer has now removed a cyber threat it first detected last year, citing China as a likely culprit following an investigation, according to German broadcasters BR and NDR.

After discovering the threat, the company contained the threat and spent time monitoring and analysing it until the end of last month before finally removing it.

"Our Cyber Defense Center intentionally did not clean up the systems identified so as to be able to analyze potential communication with the hackers," a Bayer spokesperson told IT Pro. "These systems were cleaned up on the weekend of March 23/24 and according to our findings, the hackers did not seize the opportunity to export information during this time frame".

Bayer said there is no evidence of data theft, but the damage is still being assessed as the company works with Germany's cyber security organisation (DCSO) to investigate the incident. Third-party personal data was also safe from the attack, a spokesperson added.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The DCSO is a group launched by Bayer in 2015 in partnership with Allianz, BASF and Volkswagen and its the group that attributed the attack to the 'Wicked Panda' group believed to be China-based.

The name of the malware discovered is 'Winnti', according to Andreas Rohr of the DCSO speaking to Reuters. The malware allows its controller to remotely access a system and control it from outside of Bayer's walls.

What is Winnti?

The Winnti trojan has been circulating for many years with first sightings believed to be in 2010, according to a Kaspersky report. The report details the first version of the malware as one designed to steal digital certificates which would force a system to allow a hacker access to it and implant a backdoor enabling a remote administration tool (RAT) which would allow an attacker to assume control of the infected machine.

"The malicious module turned out to be the first Trojan for the 64-bit version of Microsoft Windows with a valid digital signature that we have seen," read the Kaspersky report. "We used to see similar cases before, but in all previous incidents we have seen digital signature abuse, there were only 32-bit applications."

What's strange is the group's pivot towards the pharmaceutical industry as the initial target was the video game space. It wasn't until 2015 that the malware was used to target pharmaceutical companies.

Although Kaspersky declined to comment on which company the target was at the time, it did confirm that it was " the well-known global pharmaceutical company headquartered in Europe", in a blog post.

Advertisement - Article continues below

Kaspersky believed that because of the repeated behaviour, the theft of many digital certificates, it was likely that the group "either had close contacts with other Chinese hacker groups or sold the certificates on the black market in China".

Winnti isn't new in Germany either, back in 2016 ThyssenKrupp, a German technology group fell victim to the malware and although Rohr declined to comment in detail about the Bayer case due to a non-disclosure agreement, he said he knew of at least five Winnti attacks in Germany.

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/technology/artificial-intelligence-ai/354796/ai-identifies-11-earth-bound-asteroids
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020