Cyber Incident Victim: Bayer AG
Date:
Jan 2018
Location:
Germany
Summary
A German pharmaceutical and agricultural company detected a cyberattack involving WINNTI malware, which enabled remote system access and potential espionage activities. Security experts attributed the attack to a Chinese-linked group known as 'Wicked Panda,' citing similarities to previous campaigns targeting intellectual property and corporate espionage. The malware was identified through covert monitoring, contained, and subsequently removed from systems. While no evidence of data theft or third-party data compromise was found, the full extent of operational impact remained under assessment. German authorities initiated an investigation, with cybersecurity analysts highlighting the attack's sophistication and its alignment with patterns of state-affiliated or mercenary hacking groups targeting industrial sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Bayer detected malicious software on its computer networks in early 2018, initiating covert monitoring and analysis that continued until the end of March 2019. The company subsequently removed the threat from its systems, publicly disclosing the incident on April 4, 2019. Security experts from DCSO Cyber Defense, a consortium Bayer co-founded with Allianz, BASF, and Volkswagen, identified the malware as WINNTI—a tool enabling remote system access and subsequent exploitation. DCSO's Andreas Rohr characterized the malware as evidence of a sophisticated, targeted espionage campaign, noting its capability to execute nearly any action once installed. Bayer stated there was no evidence of data theft or compromise of third-party personal information, though a company spokesman acknowledged ongoing damage assessments. German state prosecutors launched an investigation into the breach, which Bayer could not precisely date regarding initial system compromise. Attribution analysis by DCSO linked the attack's characteristics to the Chinese-affiliated 'Wicked Panda' hacking group based on technical indicators.
The WINNTI malware had previously been deployed in a 2016 cyber attack against German industrial conglomerate ThyssenKrupp, according to contemporaneous media reports. Rohr confirmed awareness of at least five WINNTI-related incidents in Germany, describing the threat actors as a highly active group capable of conducting parallel international operations. He characterized the perpetrators as Chinese "mercenaries" historically targeting online gambling platforms, intellectual property theft, and espionage-related access. Bayer's disclosure coincided with increased cybersecurity concerns across German critical infrastructure sectors, as noted by national authorities in February 2019. The incident was first reported by German broadcasters BR and NDR, with Bayer emphasizing containment of the threat following nearly 15 months of forensic monitoring. No operational disruptions or specific compromised systems were detailed in public statements, though the company's status as both a pharmaceutical leader and agricultural supplier through its Monsanto acquisition underscored potential strategic interest from threat actors.