In July, a number of major international firms fell victim to a form of malware long known to be favored by Chinese hacking groups. A type of malware called Winnti, which is used for long-term quiet exfiltration of valuable company data, was found on the systems of at least a dozen major companies that do business internationally. Most of the companies hit by the Winnti malware in this recent rash were based in Germany, but companies from Switzerland, the United States, Japan and Indonesia were also targeted.
What does the Winnti malware do?
Winnti is associated with an established Chinese hacking group that goes by the same name. According to a Kaspersky Labs research report, this malware was first spotted in the wild in 2009. It caught the attention of security researchers all over the world in 2011 when it was deployed to steal code from popular online games in Germany, Japan and South Korea, only being detected when it accidentally moved from the game publisher’s servers to player systems during an update.
For the first several years of their existence, the Winnti group focused on corporate espionage of video game companies. The Winnti malware is a trojan that was the first of its kind for the 64-bit version of Windows. Once on a system, it quietly gives the attacker remote administration abilities which are generally used to exfiltrate sensitive company data over an extended period of time.
It’s unclear if the Winnti group has always been working for the Chinese government; Kaspersky notes that since its earliest days the group has been using a type of backdoor attack that was previously only used against Tibetan activists. The group has clearly since graduated to the highest levels of international business espionage, however. There are now several Winnti teams that have connections to Chinese intelligence in terms of their long-term pattern of target selection and the techniques that they use. The group has also been connected with digital spying on the Hong Kong government.
This current rash of Winnti malware first reared its head in Germany back in April, when drug giant Bayer announced that they had been targeted by the hackers and that the malware had been present on their systems since early 2018. Bayer was apparently aware of it early enough to prevent exfiltration of data and had been studying it, tracing the origins of it to China.
This early warning from Bayer appears to have come too late for a number of other German firms: chemical giant BASF, industrial manufacturing conglomerate Siemens, chemical and consumer goods company Henkel, software company TeamViewer GmbH and Bayer subsidiary Covestro among them.
Other groups that were attacked with the Winnti malware recently include US-based hotelier Marriott and online gaming company Valve, and Swiss healthcare company Roche. Japanese trading company Sumitomo and chemical company Shin-Etsu were also targeted, as well as Indonesia-based airline Lion Air.
Most of these attacks were identified by a joint investigation conducted by two of Germany’s leading media outlets, BR and NDR. Special code showed which companies had been compromised by Winnti malware, but the report indicates that the companies named may be far from a full list of those that are infected. An IT security expert who was consulted for analysis of the malware joked that “Any DAX corporation that hasn’t been attacked by Winnti must have done something wrong”, and an unnamed German official used as a source said that “The numbers of cases are mind-boggling.”
Protecting against Winnti
The Winnti malware is not indiscriminate. The group that deploys it tends to target the world’s largest companies, particularly those that have a physical presence in Düsseldorf specifically. Their interests line up with those of Chinese intelligence and manufacturing concerns, and they appear to prioritize industrial secrets. That doesn’t mean that companies that fall outside of that focus are in the clear, however – Winnti’s targeting of companies like Marriott, Valve and Lion Air indicate they are interested in the international tracking of the movements of specific people.
Regardless of how likely any individual company might be to attract the attention of Winnti, defending against them falls within the scope of standard cybersecurity best practices. Winnti malware attacks generally begin with a fairly standard phishing email containing a malicious link. Some hapless employee clicks on the link, and the group has a foothold in the network that they quickly move to expand. The Winnti group has been known to target the human resources department and company recruiters as their initial point of entry, often presenting themselves as a job applicant with links to qualifications that lead to malware installation pages.
Once in the network, Winnti’s attack pattern is a model of the “low and slow” style. They quietly map out the network architecture and look for programs that are commonly used throughout the company, adding lines of malicious code to them to expand their access. One contributor to the German report characterized the group as having “poor operational security”, seeming to not care if they are identified once they have obtained the data they came for – another good indication that the group is backed by the Chinese government.
The Winnti malware attacks both Windows and Linux systems. The Linux version of it is a relatively new development, first seen in the wild in 2015 and used somewhat sparingly since then.
Winnti may have this specific focus on Germany due to the country’s notoriously intractable business culture that is extremely tradition-focused and lagging severely behind much of the rest of the EU in cybersecurity. The attitude toward IT is a bit mystifying, as it runs completely counter to the fabled German philosophy toward engineering precision and innovation. Whatever the case, the regulations forced by the GDPR do help somewhat here but cannot force individual employees to practice good cybersecurity hygiene.