Cyber Incident Victim: PT Lion Mentari Airlines
Date:
Apr 2018
Location:
Indonesia
Summary
Lion Air was among multiple international companies compromised by the Winnti malware, linked to a Chinese state-aligned hacking group. The attackers employed phishing tactics, often targeting HR departments with malicious job applicant links, to infiltrate networks and establish persistent remote access. Once inside, the group conducted stealthy, long-term operations to map infrastructure, modify internal software, and exfiltrate sensitive data. The campaign impacted firms across various sectors, including aviation, hospitality, healthcare, and manufacturing, with German corporations notably affected. While some victims like Bayer detected the intrusion early and prevented data loss, the broader investigation suggested widespread undetected infections, underscoring the malware's effectiveness in evading traditional security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Winnti malware campaign targeting Lion Air and other international companies emerged as part of a broader espionage operation linked to Chinese state-affiliated actors. Initial infections at German pharmaceutical company Bayer were detected in early 2018, with the company publicly disclosing the compromise in April 2018 after discovering Winnti malware had persisted on their systems. This early detection allowed Bayer to prevent data exfiltration while studying the malware's Chinese origins. The campaign expanded significantly throughout 2018, with security researchers and German media outlets BR and NDR identifying Lion Air among at least a dozen major international corporations compromised by Winnti variants. Other confirmed victims included German industrial giants BASF, Siemens, and Henkel, U.S.-based Marriott, Swiss healthcare firm Roche, Japanese companies Sumitomo and Shin-Etsu, and gaming company Valve.
Attackers employed sophisticated phishing techniques targeting human resources departments and recruiters, disguising malicious links as job applicant credentials to gain initial network access. Once inside victim networks like Lion Air's, the threat actors conducted slow, methodical network reconnaissance before injecting malicious code into commonly used applications to expand access. The malware provided remote administration capabilities enabling long-term data exfiltration, with attackers demonstrating particular interest in intellectual property and sensitive corporate information. While Bayer contained their infection early, many other companies remained compromised for extended periods before detection. The joint media investigation revealed special code signatures indicating compromised systems but suggested the published victim list represented only a fraction of actual infections. Security analysts noted the attackers displayed poor operational security once their objectives were achieved, consistent with state-sponsored groups unconcerned about attribution after successful data theft.