Bayer has revealed an attempt to compromise the company's networks through a cyberattack but has assured interested parties that the breach has been contained.
The German drug manufacturer said in a statement on Thursday that infectious software was discovered on Bayer systems back in early 2018, as reported by Reuters.
Rather than remove the malware, the company elected to keep a covert eye on the software to try and work out its purpose, as well as who was responsible for implanting the malicious code.
The malware was removed at the end of March, concluding Bayer's espionage activities on its own networks. Damage is currently being assessed.
Bayer says that there "is no evidence of data theft," but has not provided any further details on the purpose or scope of the malware. The drug maker did say, however, that the software is the work of a hacking group known as Winnti.
According to Kaspersky Labs (.PDF), back in 2013, Winnti's objective was to steal the "source code of online game projects as well as digital certificates of legitimate software vendors."
The stolen certificates were later found to be in use in order to sign malware used by other cyberthreat groups to target political activists spanning across South Korea and Tibet, as well as the ethnic minority Uyghur group located in China.
It appears that Winnti then expanded its horizons towards industrial espionage and has since been connected to a cyberattack against German tech giant ThyssenKrupp, which took place in 2016.
Dubbed a "professional" attack by ThyssenKrupp, the hacker's aim was to steal technological information and valuable intellectual property from the company's industrial unit.
401TRG believes the group is related to Chinese espionage efforts and attacks have systematically taken place against valuable targets between 2009 and 2018.
Phishing campaigns are the typical attack vector, followed by infection with custom malware or public tools such as Cobalt strike.