Cyber Incident Victim: Shin-Etsu Chemical Co., Ltd.
Date:
Jan 2018
Location:
Japan
Summary
Shin-Etsu was compromised by the Winnti malware, linked to a Chinese state-aligned cyberespionage group, as part of a broader campaign targeting multinational corporations. The attackers infiltrated networks via phishing emails, often posing as job applicants to exploit HR departments, establishing persistent remote access for stealthy data exfiltration. Once inside, they mapped network architectures and injected malicious code into widely used applications to expand control. The group prioritized prolonged intellectual property theft over operational secrecy, reflecting a pattern of targeting strategic industries across multiple countries. This incident coincided with widespread compromises of German industrial firms and other global entities, underscoring the malware's focus on corporate espionage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Winnti malware incident involving Shin-Etsu Chemical emerged as part of a broader cyber espionage campaign targeting multinational corporations between early 2018 and mid-2019. Attackers associated with the Chinese-linked Winnti group infiltrated Shin-Etsu's systems using phishing emails disguised as job applications, a known tactic where malicious links were sent to human resources personnel and recruiters. This initial compromise allowed installation of the Winnti trojan, which provided attackers with remote administrative access to both Windows and Linux systems. The malware operated in a "low and slow" pattern, enabling prolonged network reconnaissance where attackers mapped infrastructure and injected malicious code into commonly used enterprise applications to expand access. Shin-Etsu's infection was discovered through a joint investigation by German media outlets BR and NDR in mid-2019, which identified unique malware code signatures across multiple victim organizations. The attackers maintained persistent access to Shin-Etsu's networks for over a year before detection, mirroring the intrusion timeline observed at German pharmaceutical company Bayer where the malware resided undetected since January 2018.
The incident resulted in unauthorized access to Shin-Etsu's corporate networks and potential exfiltration of sensitive business data, though specific compromised information types weren't disclosed publicly. Response actions included containment measures to remove the malware, though remediation details weren't reported. Shin-Etsu was among at least twelve major international companies compromised in this campaign, including BASF, Siemens, Marriott, and Valve. The German media investigation revealed the attackers demonstrated "poor operational security" post-compromise, suggesting prioritization of data collection over stealth. Forensic analysis linked the attacks to Chinese state-sponsored actors based on target selection patterns matching previous cyber espionage operations against Tibetan activists and Hong Kong government entities. While Bayer successfully prevented data theft through early detection, most affected companies including Shin-Etsu had their breaches disclosed externally through the media investigation rather than voluntary reporting. The incident highlighted vulnerabilities in third-party software supply chains and human-operated phishing defenses across global manufacturing sectors.