The German pharmaceutical giant Bayer has announced that it has been targeted by hackers who installed malware on its network. The attack was contained, but the malware was not removed for months. Instead, Bayer has been observing the malware in an attempt to determine the ultimate goal of the attack and the identity of the threat actors behind the campaign.
The malware was installed on its network in early 2018. The affected systems were isolated, and the malware was studied until it was removed in March 2019. Bayer says that during the time that the malware was on its network there was no indication that any attempt had been made to steal sensitive information and no third-party data was compromised. Bayer is still conducting a forensic investigation to assess any potential damage that was caused.
The malware in question is called Winnti, an old malware variant that was first discovered in 2010. Winnti has been used in several attacks in the past, including a 2016 attack on the German technology company ThyssenKrupp, although most attacks have been on companies in east Asia. The malware has also been used in several attacks on companies in the gaming industry.
The malware allows attackers access to networks and remotely execute code, essentially allowing the attackers to run any code and download further payloads they desire. It is unclear why Bayer was the target of this campaign, but it is believed that long-term espionage was the goal.
Earlier this year, the U.S. Department of Homeland Security issued a warning about attacks by hackers operating out of China and suggested the goals were to exploit supply chains between IT service providers and their clients and steal intellectual property. That information could be sold to nation states to advance their own technological capabilities.
The Bayer malware attack has been tied to a Chinese hacking group known as Wicked Panda, which is known to be highly active and capable of conducting multiple in-depth international cyberattacks simultaneously. The goals of the group are not known, but it has been suggested that the malware was installed but the hackers had not yet monetized the attack.