As accusations of nation-state attacks from the Chinese government are becoming more prevalent, Bayer, Germany’s largest drugmaker, announced that it has managed to contain what appears to have been a cyber-attack from China, according to Reuters.
The attack, which was initially reported by German broadcasters BR and NDR resembles the work of Wicked Panda, a prominent Chinese hacking group that used the Winnti malware.
“Our Cyber Defense Center detected indications of Winnti infections at the beginning of 2018 and initiated comprehensive analyses. There is no evidence of data outflow. Our experts at the Cyber Defense Center have identified, analyzed and cleaned up the affected systems, working in close collaboration with the German Cyber Security Organization (DCSO) and the State Criminal Police Office of North Rhine–Westphalia. Investigations of the Public Prosecutor’s Office in Cologne are ongoing,” a Bayer spokesperson wrote in an email.
For several years, the advanced persistent threat group (APT) has been actively targeting a broad scope of victims around the world. In 2018, CrowdStrike research suggested the group is “contractors who are supporting high-priority operations as needed,” adding that the group had “improved operational security and anti-analysis TTPs, evidenced by the use of machine-specific decryption keys.”
Attribution in these attacks can be challenging, though. “While the prevailing theory is that the attacker(s) are linked to China based on targeting and some previous analysis of the Winnti rootkit, it’s far from conclusive. The Winnti malware has been around for a few years now – plenty of time to be shared and repurposed by a loosely affiliated threat actor group, which may or may not have had state backing in this case,” said Mark Orlando, chief technology officer, Raytheon cyber protection solutions.
Still Orlando applauded Bayer’s comprehensive response, regardless of the source or motives behind the attack. “It seems clear in this case that that’s what Bayer did, and then provided the evidence to law enforcement to enable them to draw their own conclusions.”
Maintaining operational security and disclosing information only to those who need to know it while executing a measured response is often a challenge for organizations that discover they have been breached. Orlando said, “The fact that Bayer kept this incident under wraps and left the infected systems online to support an ongoing investigation makes this an interesting case study in incident response and disclosure. Taking these steps enabled the Bayer security team to determine the scope of the incident, analyze the malware on its systems and devise ways to detect additional infections prior to the incident being made public.”