Cyber Incident Victim: Sumitomo Corporation
Date:
Apr 2018
Location:
Germany
Summary
A Japanese trading company was among multiple major international firms compromised by the Winnti malware, linked to a Chinese state-aligned hacking group. The attackers employed phishing tactics, often targeting human resources departments with malicious job applicant links to gain initial network access. Once inside, they conducted prolonged data exfiltration campaigns by stealthily modifying commonly used programs across Windows and Linux systems. The operation exhibited a "low and slow" intrusion pattern, prioritizing persistent access over immediate detection. Other affected entities spanned pharmaceutical, chemical, manufacturing, and hospitality sectors across Germany, Switzerland, the United States, and Indonesia. Security researchers noted the group's poor operational security but confirmed successful extraction of sensitive corporate data from numerous organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Winnti malware campaign targeting major international companies emerged prominently in April 2018 when German pharmaceutical company Bayer disclosed a breach involving malware that had persisted on its systems since early that year. Bayer detected the intrusion early enough to prevent data exfiltration and traced the attack’s origins to China. This incident signaled a broader wave of attacks primarily affecting German corporations, including BASF, Siemens, Henkel, TeamViewer GmbH, and Covestro, alongside non-German entities such as Marriott, Valve, Roche, Lion Air, and Japanese trading firm Sumitomo. The attacks were linked to a Chinese state-aligned hacking group known as Winnti, which had operated since at least 2009 and historically focused on stealing intellectual property from video game developers. The group expanded its targets to include diverse industries, employing malware designed for stealthy, long-term data exfiltration. A joint investigation by German media outlets BR and NDR later identified compromised companies through unique malicious code signatures, though the full scope of affected organizations remained unclear. An unnamed German official described the scale as "mind-boggling," with security experts humorously suggesting any major German corporation not breached by Winnti had likely "done something wrong."
The attackers typically gained initial access via phishing emails impersonating job applicants, often targeting human resources personnel or recruiters. Once inside a network, the Winnti group employed a "low and slow" approach, methodically mapping infrastructure and injecting malicious code into widely used internal applications to escalate privileges and maintain persistence. The malware provided remote administration capabilities, enabling prolonged data theft from both Windows and Linux systems, with the Linux variant first observed in 2015. Despite being characterized as having "poor operational security" by investigators—exhibiting indifference to detection after achieving objectives—the group’s tactics aligned with state-sponsored espionage patterns, including targeting entities like the Hong Kong government. While Bayer successfully contained its breach, the broader campaign’s impact involved systematic exfiltration of sensitive corporate data across multiple sectors. No specific data theft from Sumitomo was detailed in public reports, but its inclusion among confirmed targets indicated participation in the widespread espionage effort. The incident underscored vulnerabilities in corporate cybersecurity practices, particularly in Germany, where cultural resistance to IT modernization was cited as a potential factor in the attacks’ prevalence.