Pharmaceutical giant Bayer targeted by cyberattack, threat 'contained'

The German company says the Winnti hacking group is to blame.

UK on Huawei: New engineering flaws found, old vulnerabilities haven't been fixed yet Board that oversees Huawei security in the UK offers only 'limited assurance' that risk to national security can be mitigated.

Bayer has revealed an attempt to compromise the company's networks through a cyberattack but has assured interested parties that the breach has been contained.

The German drug manufacturer said in a statement on Thursday that infectious software was discovered on Bayer systems back in early 2018, as reported by Reuters.

Rather than remove the malware, the company elected to keep a covert eye on the software to try and work out its purpose, as well as who was responsible for implanting the malicious code.

The malware was removed at the end of March, concluding Bayer's espionage activities on its own networks. Damage is currently being assessed.

CNET: Kaspersky Lab will warn you if your phone is infected with stalkerware

Bayer says that there "is no evidence of data theft," but has not provided any further details on the purpose or scope of the malware. The drug maker did say, however, that the software is the work of a hacking group known as Winnti.

According to Kaspersky Labs (.PDF), back in 2013, Winnti's objective was to steal the "source code of online game projects as well as digital certificates of legitimate software vendors."

See also: Home DNA kit company asks you to upload your family tree for the FBI

The stolen certificates were later found to be in use in order to sign malware used by other cyberthreat groups to target political activists spanning across South Korea and Tibet, as well as the ethnic minority Uyghur group located in China.

It appears that Winnti then expanded its horizons towards industrial espionage and has since been connected to a cyberattack against German tech giant ThyssenKrupp, which took place in 2016.

TechRepublic: What is the Dark Web, and why is it so bad if your information is there?

Dubbed a "professional" attack by ThyssenKrupp, the hacker's aim was to steal technological information and valuable intellectual property from the company's industrial unit.

401TRG believes the group is related to Chinese espionage efforts and attacks have systematically taken place against valuable targets between 2009 and 2018.

Phishing campaigns are the typical attack vector, followed by infection with custom malware or public tools such as Cobalt strike. 

Previous and related coverage