Cyber Incident Victim: Marriott International

The Winnti malware attack impacting Marriott International was part of a broader campaign targeting multinational corporations beginning as early as 2018. According to investigations by German media outlets BR and NDR, the attackers compromised Marriott's systems using Winnti malware—a trojan associated with Chinese state-sponsored hacking groups active since 2009. The initial intrusion vector involved phishing emails directed at human resources personnel and recruiters, impersonating job applicants with malicious links leading to malware installation. Once inside Marriott's network, the attackers employed a "low and slow" operational strategy, methodically mapping infrastructure and injecting malicious code into widely used company applications to maintain persistent access. This allowed prolonged data exfiltration without immediate detection.

The malware's presence on corporate systems was first identified in April 2018 by German pharmaceutical company Bayer, which traced the intrusion to Chinese actors and alerted other organizations. Subsequent analysis revealed Winnti had compromised at least a dozen major firms, including Marriott, BASF, Siemens, Roche, and Valve. While Bayer successfully contained the threat before data theft occurred, the full extent of Marriott's data exposure remains unclear. The attackers targeted both Windows and Linux systems, leveraging Winnti's signature remote administration capabilities to extract sensitive corporate information over extended periods. German investigators noted the campaign's unprecedented scale, with an unnamed official describing the number of compromised organizations as "mind-boggling." The incident underscored systemic vulnerabilities in corporate cybersecurity practices, particularly regarding phishing susceptibility and network monitoring gaps.