Cyber Incident Victim: BASF
Date:
Jan 2018
Location:
Germany
Summary
BASF was among multiple major international companies compromised by the Winnti malware, attributed to a Chinese state-aligned hacking group specializing in long-term corporate espionage. The attackers infiltrated networks primarily through phishing emails targeting human resources personnel, establishing persistent access to exfiltrate sensitive data over extended periods. The malware enabled remote administration capabilities across both Windows and Linux systems, with attackers modifying commonly used programs to expand their foothold. The incident was part of a broader campaign affecting German industrial and chemical firms, including Siemens and Henkel, as well as companies in Switzerland, the US, Japan, and Indonesia. While some victims detected the intrusion early, the scale of compromises suggested extensive data harvesting operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Winnti malware campaign targeting BASF emerged as part of a broader espionage operation against multinational corporations beginning in early 2018. German chemical giant BASF was among at least a dozen major international companies compromised by the China-linked Winnti group, with infections traced back to January 2018 according to forensic analysis. The attackers initially breached networks through phishing emails targeting human resources personnel and recruiters, often disguising malicious links as job applicant qualifications. This infiltration method allowed the threat actors to establish footholds in corporate systems before deploying the Winnti malware payload.
Once inside BASF's network, the attackers employed stealthy "low and slow" tactics characteristic of the Winnti group, systematically mapping infrastructure and modifying commonly used programs with malicious code to expand access. The malware provided remote administration capabilities enabling prolonged data exfiltration, though specific data types targeted at BASF weren't disclosed publicly. The breach was discovered through a joint media investigation by German outlets BR and NDR in mid-2018, which identified unique malware signatures across multiple DAX-listed companies. While Bayer had detected and contained their infection by April 2018, preventing data theft, BASF's containment timeline remained unspecified in public reports. The incident formed part of a transnational targeting pattern that included German industrial firms like Siemens and Henkel alongside companies in Switzerland, Japan, Indonesia, and the United States. Security analysts noted the campaign's operational scale suggested state-backed coordination, with forensic evidence linking tactics to previous Chinese cyberespionage activities against Tibetan activists and Hong Kong entities. The Winnti group's expansion beyond its original video game industry targets to major chemical and manufacturing firms demonstrated strategic evolution toward economic espionage against core industrial sectors.