Winnti

Winnti is a group of hackers who are suspected of having carried out industrial espionage attacks on various (including German) companies. It is named after the malware of the same name. Experts suspect the Chinese state is behind the spy group .

history

Since 2007, the group has been generating so-called “fake anti-virus malware” with which victims were induced to pay a license for fake security software.

In the fall of 2011, a Trojan first appeared on computers whose users were playing popular online games . The program was based on a DLL library that was designed for 64-bit Windows operating systems and even had a valid signature . According to Kaspersky Lab , it was the first trojan for 64-bit systems with a valid signature. Theft of signatures and their use to steal additional signatures is one of the main characteristics of this group.

The group’s activities are geared towards long-term internet espionage. Winnti is of "Asian" ( BSI ) or Chinese origin or she sells the stolen certificates on the Chinese black market .

Similarly, the group is a bootkit called HDroot attributed from the year of 2006.

In spring 2019, the suspicion was expressed that Winnti had penetrated the databases of Bayer AG , Thyssenkrupp and Siemens .

The group is likely spying on industrial secrets on behalf of China. There were also attacks on protesting students of the democracy movement in Hong Kong (see Protests in Hong Kong 2019/2020 ). The attacks were discovered by the security company Eset. In addition to the Winnti malware, the back door Shadowpad, a keylogger , was also assigned to this group.

Web links

BSI, The Situation of IT Security in Germany 2017 .
Kaspersky Lab, Winnti: More than just a game , April 2013 report.

Individual evidence

^ Jan Strozyk, Hakan Tanriverdi: German chemical company hacked. A group of hackers has spied on German corporations for years. Now reporters from BR and NDR could prove another case - at the chemical giant Lanxess. Experts suspect that the Chinese state is behind it. In: tagesschau.de. January 31, 2020, accessed February 23, 2020 .
^ Hacker attack on Bayer chemical company. Hackers have tried again to steal sensitive information from a large industrial group. You may have acted on behalf of the Chinese government. April 4, 2019, accessed April 1, 2019 .
↑ Gurubaran: Chinese Hacking Groups Involved With Historical Period of Hacks Against Gaming Studios & Software Companies. May 8, 2018, accessed April 1, 2019 .
↑ Hacker attack by "Winnti": Several Dax companies affected. The hacker group "Winnti" is said to have tried to steal data from Dax companies. But data was not stolen. July 24, 2019, accessed July 24, 2019 .
^ William Showalter: A Universal Windows Bootkit: An Analysis of the MBR Bootkit "HDRoot" . In: Proceedings of the 50th Hawaii International Conference on System Sciences . 2017, ISBN 978-0-9981331-0-2 , doi : 10.24251 / HICSS.2017.732 .
^ Moritz Tremmel: When an APT attacks protesting students. Up until now, the Winnti hacker group had targeted companies like Bayer or Siemens, but now the goals have changed. Instead of industrial espionage, the APT is taking action against students protesting in Hong Kong. In: golem.de. February 1, 2020, accessed February 23, 2020 .

[1] Jan Strozyk, Hakan Tanriverdi: German chemical company hacked. A group of hackers has spied on German corporations for years. Now reporters from BR and NDR could prove another case - at the chemical giant Lanxess. Experts suspect that the Chinese state is behind it. In: tagesschau.de. January 31, 2020, accessed February 23, 2020 .

[2] Hacker attack on Bayer chemical company. Hackers have tried again to steal sensitive information from a large industrial group. You may have acted on behalf of the Chinese government. April 4, 2019, accessed April 1, 2019 .

[3] Gurubaran: Chinese Hacking Groups Involved With Historical Period of Hacks Against Gaming Studios & Software Companies. May 8, 2018, accessed April 1, 2019 .

[4] Hacker attack by "Winnti": Several Dax companies affected. The hacker group "Winnti" is said to have tried to steal data from Dax companies. But data was not stolen. July 24, 2019, accessed July 24, 2019 .

[5] William Showalter: A Universal Windows Bootkit: An Analysis of the MBR Bootkit "HDRoot" . In: Proceedings of the 50th Hawaii International Conference on System Sciences . 2017, ISBN 978-0-9981331-0-2 , doi : 10.24251 / HICSS.2017.732 .

[6] Moritz Tremmel: When an APT attacks protesting students. Up until now, the Winnti hacker group had targeted companies like Bayer or Siemens, but now the goals have changed. Instead of industrial espionage, the APT is taking action against students protesting in Hong Kong. In: golem.de. February 1, 2020, accessed February 23, 2020 .