Cyber Incident Victim: Valve Corporation
Date:
Apr 2018
Location:
Germany
Summary
Valve, an online gaming company, was compromised in a cyber espionage campaign involving Winnti malware linked to Chinese state-sponsored actors. The attackers infiltrated networks via phishing emails targeting HR departments, establishing persistent access to exfiltrate sensitive data over extended periods. The incident formed part of a broader operation impacting multiple international corporations across sectors including pharmaceuticals, manufacturing, and hospitality. The malware enabled remote system control and stealthy network mapping, with attackers modifying commonly used programs to expand access. While some victims detected the intrusion early, the campaign demonstrated extensive reach and operational patterns consistent with advanced persistent threats focused on intellectual property theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Winnti malware incident affecting Valve occurred within a broader campaign targeting multinational corporations between early 2018 and mid-2019, with initial compromises traced to at least April 2018. The attack originated from a Chinese state-aligned hacking group known as Winnti, which deployed custom malware designed for stealthy, long-term data exfiltration. Valve, a US-based online gaming company, was confirmed as a victim alongside German corporations Bayer, BASF, Siemens, Henkel, TeamViewer GmbH, and Covestro, as well as Marriott, Roche, Sumitomo, Shin-Etsu, and Lion Air. The attackers employed phishing emails targeting human resources departments and recruiters, disguising malicious links as job applicant credentials to gain initial network access. Once inside, the group conducted slow network reconnaissance, identifying widely used software to inject malicious code for lateral movement.
Bayer's cybersecurity team first detected the malware in early 2018 after observing suspicious activity, preventing data theft but confirming the malware's Chinese origin. This discovery prompted a joint media investigation by German outlets BR and NDR, which identified Valve and other victims through forensic analysis of attacker infrastructure. The malware compromised both Windows and Linux systems, leveraging a Windows 64-bit trojan variant first observed in 2009 and a Linux version active since 2015. No data exfiltration was confirmed at Bayer due to early containment, but other affected organizations faced prolonged undetected access. The scale of compromises led a German official to describe case numbers as "mind-boggling," with security analysts humorously noting that any major German corporation not breached by Winnti "must have done something wrong." The incident highlighted systemic vulnerabilities in corporate cybersecurity practices, particularly in Germany, where traditional business cultures lagged in IT security adoption despite GDPR requirements.