Cyber Incident Victim: F. Hoffmann-La Roche AG
Date:
Apr 2018
Location:
Switzerland
Summary
A Swiss healthcare company was compromised as part of a widespread Winnti malware campaign targeting multinational corporations, primarily German firms alongside victims from the US, Japan, and Indonesia. The state-aligned Chinese threat group deployed phishing emails—often impersonating job applicants to HR personnel—to gain initial access, then conducted stealthy network reconnaissance and data exfiltration over prolonged periods. The malware provided attackers with remote administration capabilities, enabling systematic theft of sensitive corporate information across both Windows and Linux systems. The incident formed part of a broader espionage pattern linked to Chinese intelligence interests, with compromised organizations spanning pharmaceuticals, chemicals, hospitality, and technology sectors. Bayer's earlier discovery of similar malware presence highlighted the campaign's extended timeline and operational scale.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Winnti malware campaign targeting major international companies emerged prominently in April 2018 when German pharmaceutical firm Bayer disclosed a breach involving malware that had persisted on its systems since early that year. Bayer detected the intrusion early enough to prevent data exfiltration and traced the attack’s origins to China, though this discovery did not prevent subsequent compromises at other organizations. The attackers, identified as the China-linked Winnti group, employed phishing emails—often impersonating job applicants targeting HR departments and recruiters—to deliver malicious links. Once clicked, these links established initial access, allowing attackers to deploy the Winnti trojan, which provided remote administration capabilities for stealthy, long-term network exploitation. The malware targeted both Windows and Linux systems, with the Linux variant first observed in 2015. Attackers operated in a "low and slow" manner, mapping network architectures and injecting malicious code into widely used company programs to expand access. The group exhibited poor operational security, showing indifference to detection after achieving their objectives, a trait analysts associated with state-backed actors.
By mid-2019, a joint investigation by German media outlets BR and NDR revealed that at least a dozen multinational corporations had been compromised, including Swiss healthcare company Roche, U.S.-based Marriott and Valve, Germany’s BASF, Siemens, Henkel, TeamViewer, and Covestro, Japan’s Sumitomo and Shin-Etsu, and Indonesia’s Lion Air. Special forensic code signatures linked these breaches to Winnti, though investigators warned the list was incomplete. Bayer’s early detection provided some warning, but many firms lacked sufficient defenses; Germany’s tradition-focused business culture and lagging cybersecurity adoption were cited as contributing factors. The attackers focused on corporate espionage, exfiltrating sensitive data over extended periods. While Bayer contained its breach, the full impact on other victims—including potential data theft—remained unclear. The incident underscored the group’s shift from early video game industry targets to high-value sectors like pharmaceuticals, chemicals, manufacturing, and healthcare, aligning with patterns of Chinese state-sponsored cyber-espionage.