Cyber Incident Victim: Henkel
Date:
Jan 2018
Location:
Germany
Summary
Henkel was among multiple international companies compromised by the Winnti malware, linked to a Chinese state-aligned hacking group specializing in prolonged corporate espionage. The attackers initially breached networks via phishing emails targeting human resources personnel, then stealthily expanded access to exfiltrate sensitive data over extended periods. The campaign impacted numerous German corporations and global entities across sectors including chemicals, manufacturing, and healthcare, with infections persisting undetected for significant durations before discovery. Winnti's operators demonstrated advanced capabilities by targeting both Windows and Linux systems, leveraging malicious code injections into commonly used software to maintain persistence while exhibiting indifference to operational security after achieving their objectives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Winnti malware campaign targeting Henkel and other multinational corporations emerged from a long-established Chinese hacking group first identified in 2009. This group initially specialized in video game corporate espionage, notably stealing code from German, Japanese, and South Korean game publishers in 2011 through compromised update servers. By 2015, the group expanded capabilities with a Linux variant while maintaining focus on stealthy data exfiltration via Windows backdoors. The 2018 attacks against German industrial firms represented an escalation in target selection, shifting from gaming companies to major chemical, manufacturing, and consumer goods corporations. Henkel's compromise occurred within this broader wave, with forensic evidence suggesting initial network infiltration as early as January 2018 based on Bayer's parallel infection timeline. Attackers deployed phishing emails mimicking job applications to HR personnel, embedding malicious links that installed Winnti payloads when clicked. This initial access allowed threat actors to conduct network reconnaissance, identify critical systems, and inject malicious code into enterprise applications to establish persistence.
The joint BR/NDR media investigation revealed Henkel among at least a dozen confirmed victims across Germany, Switzerland, the United States, Japan, and Indonesia. While Bayer detected the malware early enough to prevent data theft, the report implied Henkel and other DAX-listed companies like BASF and Siemens faced prolonged undetected access. Winnti operators employed "low and slow" tactics, avoiding detection mechanisms while systematically mapping infrastructure and exfiltrating unspecified sensitive data over months. The malware provided remote administration capabilities enabling lateral movement across both Windows and Linux systems. Public disclosure occurred in July 2019 following media analysis of shared attack signatures, though investigators warned the confirmed victim list underrepresented the campaign's true scale. No specific containment measures or data loss details were disclosed for Henkel, though the pattern suggested operational disruption from forensic investigations and potential intellectual property compromise common to state-sponsored industrial espionage operations.