Bayer pharmaceuticals hit with China-attributed malware

Bayer pharmaceuticals sign

German pharmaceutical giant Bayer has now removed a cyber threat it first detected last year, citing China as a likely culprit following an investigation, according to German broadcasters BR and NDR.

After discovering the threat, the company contained the threat and spent time monitoring and analysing it until the end of last month before finally removing it.

"Our Cyber Defense Center intentionally did not clean up the systems identified so as to be able to analyze potential communication with the hackers," a Bayer spokesperson told IT Pro. "These systems were cleaned up on the weekend of March 23/24 and according to our findings, the hackers did not seize the opportunity to export information during this time frame".

Bayer said there is no evidence of data theft, but the damage is still being assessed as the company works with Germany's cyber security organisation (DCSO) to investigate the incident. Third-party personal data was also safe from the attack, a spokesperson added.

The DCSO is a group launched by Bayer in 2015 in partnership with Allianz, BASF and Volkswagen and its the group that attributed the attack to the 'Wicked Panda' group believed to be China-based.

The name of the malware discovered is 'Winnti', according to Andreas Rohr of the DCSO speaking to Reuters. The malware allows its controller to remotely access a system and control it from outside of Bayer's walls.

What is Winnti?

The Winnti trojan has been circulating for many years with first sightings believed to be in 2010, according to a Kaspersky report. The report details the first version of the malware as one designed to steal digital certificates which would force a system to allow a hacker access to it and implant a backdoor enabling a remote administration tool (RAT) which would allow an attacker to assume control of the infected machine.

"The malicious module turned out to be the first Trojan for the 64-bit version of Microsoft Windows with a valid digital signature that we have seen," read the Kaspersky report. "We used to see similar cases before, but in all previous incidents we have seen digital signature abuse, there were only 32-bit applications."

What's strange is the group's pivot towards the pharmaceutical industry as the initial target was the video game space. It wasn't until 2015 that the malware was used to target pharmaceutical companies.

Although Kaspersky declined to comment on which company the target was at the time, it did confirm that it was " the well-known global pharmaceutical company headquartered in Europe", in a blog post.

Kaspersky believed that because of the repeated behaviour, the theft of many digital certificates, it was likely that the group "either had close contacts with other Chinese hacker groups or sold the certificates on the black market in China".

Winnti isn't new in Germany either, back in 2016 ThyssenKrupp, a German technology group fell victim to the malware and although Rohr declined to comment in detail about the Bayer case due to a non-disclosure agreement, he said he knew of at least five Winnti attacks in Germany.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.