Cyber Incident Victim: Covestro
Date:
Apr 2018
Location:
Germany
Summary
Covestro was among multiple major international companies compromised by the Winnti malware, linked to a Chinese state-sponsored hacking group. The attackers infiltrated networks via phishing emails targeting human resources departments, establishing remote access for prolonged data exfiltration. The malware operated stealthily across Windows and Linux systems, enabling network reconnaissance and code manipulation to expand control. While some organizations detected and contained the intrusion early, others experienced extended breaches as the group prioritized persistent access over operational secrecy, aligning with espionage objectives targeting intellectual property and sensitive corporate data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Winnti malware incident affecting Covestro emerged as part of a broader campaign targeting multinational corporations beginning in early 2018. German chemical company Covestro, a subsidiary of Bayer, was compromised alongside other major German firms including BASF, Siemens, Henkel, and TeamViewer GmbH. The attack originated from a Chinese state-aligned hacking group known as Winnti, which deployed malware designed for long-term data exfiltration. Bayer first detected the intrusion on its systems in April 2018, tracing the malware's origins to China and noting it had been present since early that year. Bayer's early detection allowed them to prevent data theft from their systems, though this warning did not prevent infections at Covestro and other entities. The malware spread to companies across multiple sectors and geographies, including Switzerland's Roche, the United States' Marriott and Valve, Japan's Sumitomo and Shin-Etsu, and Indonesia's Lion Air. A joint investigation by German media outlets BR and NDR later identified compromised companies through unique malicious code signatures, suggesting the full scope of infections exceeded publicly confirmed cases.
The attackers employed phishing emails targeting human resources departments and recruiters, often posing as job applicants to deliver malicious links. Once inside a network, the Winnti group conducted slow reconnaissance to map infrastructure and injected malicious code into widely used internal applications to expand access. The malware provided remote administration capabilities, enabling prolonged data harvesting from both Windows and Linux systems, with the Linux variant first observed in 2015. While Bayer contained their breach before data loss occurred, the article did not specify whether Covestro experienced data exfiltration. German authorities described the scale of compromises as "mind-boggling," with one security expert noting widespread penetration of DAX-listed companies. The attackers demonstrated indifference to operational security after achieving their objectives, consistent with state-backed espionage patterns. Covestro's incident highlighted systemic cybersecurity vulnerabilities in German industrial sectors, particularly tradition-bound corporate cultures slow to adopt modern defenses despite GDPR regulatory pressures.