Bayer hit by extensive, year-long cyber-attack

German pharma and chemicals giant Bayer has been subjected to a sustained cyber-attack that seems to originate from China-based Winnti hacking group.

The company revealed that attack after saying it had finally removed the Trojan after spending months containing the threat and analysing its behaviour, according to German media reports. The intention was to track the data siphoned by the malware back to the source, although Bayer said there was no sign of data theft.

“Our Cyber Defense Centre detected indications of Winnti infections at the beginning of 2018 and initiated comprehensive analyses,” said Bayer. “There is no evidence of data outflow.”

The news comes two years after Merck & Co was hit by WannaCry ransomware, a cyber-attack that the pharmaceutical company said had cost it around $135m in lost revenue due to production shutdowns and lost sales, and spent around $175m in remediation costs.

The Winnti group is best known for mounting attacks against the online video game industry, according to online security company Kaspersky which suggests the initial motive of the hackers was to steal valuable code and legitimate software vendors.

The motive behind the attack on Bayer hasn’t been disclosed, although the company says it is collaborating closely with Germany’s Cyber Security Organization (DCSO) and the State Criminal Police Office of North Rhine-Westphalia and investigations by the Public Prosecutor’s Office in Cologne are ongoing.

In 2015, Kaspersky revealed in a blog post that Winnti had started targeting pharma companies, possibly for the purpose of carrying out industrial espionage, suggesting it had evidence of an attack on a “well-known global pharmaceutical company headquartered in Europe.”

It is however possible that the Winnti malware could have been used by another group. Typically, the Trojan arrives into a network borne by a compromised PDF file, which can shut down firewall protection, create files and user accounts, and inject processes with malicious payloads, as well as sending information to the hacker.

Recent research from Reboot, based on ProofPoint data, has suggested that pharmaceutical companies have become the most highly targeted industry for phishing and malware attacks, with 71 attacks per company on average over a three-month period, followed by construction (61 attacks) and real estate companies (54 attacks).