{ "id": "f67a9e50-eae2-484b-8029-de32c52eacbf", "created_at": "2026-04-06T00:13:21.950402Z", "updated_at": "2026-04-10T03:32:20.498178Z", "deleted_at": null, "sha1_hash": "9ef1dc5bac45913f77ac08445461aae1f86edcb6", "title": "Bayer hit by cyberattack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47956, "plain_text": "Bayer hit by cyberattack\r\nBy Deutsche Welle\r\nPublished: 2019-04-04 · Archived: 2026-04-05 17:22:50 UTC\r\nA group of hackers known as Wicked Panda accessed Bayer's network in early 2018, the company said in a\r\nstatement on Thursday. \r\nThe hackers reportedly used Winnti malware, which had also been detected at three other, smaller, companies in\r\nGermany this year.\r\nWinnti is a China-based hacker groups, of which Wicked Panda is believed to be a member. In Germany they\r\nalready targeted the computer systems of technology group ThyssenKrupp in 2016. \r\n\"This type of attack points towards the Wicked Panda group in China, according to security experts,\" a company\r\nspokesman said, citing evidence gathered by the DCSO cybersecurity group, which was set up by Bayer in 2015\r\nand includes other German companies such Allianz, BASF and Volkswagen.\r\nBayer, Germany's largest drugmaker, said it had covertly monitored and analyzed the attack up to the end of this\r\nMarch and then cleared the threat from its systems.\"There is no evidence of data theft,\" the statement goes on. \r\nWhile public prosecutors in Cologne, Germany have opened an investigation into the incident, the former head of\r\nGermany's BND foreign intelligence service, Gerhard Schindler, said on Thursday it was difficult to determine the\r\nhackers' location.\r\nBayer is also the world's largest agricultural supplies company after it has taken over US chemicals maker\r\nMonsanto.\r\nGermany watchful\r\nThe news comes in the wake of one of Germany's biggest data breaches, in which the private data of almost 1,000\r\npublic figures were leaked in January, including email conversations and private photos. Cybersecurity has\r\nbecome a matter of urgency for German politics after the United States has ramped up pressure on its allies to\r\ndesist using Chinese firm Huawei technology in the roll out of 5G internet.\r\nGermany’s Office for Security in Information Technology (BSI) recently issued a warning to several German\r\ncompanies seen as potential targets for Chinese cyber espionage. There are mounting fears in Germany that\r\nChinese hackers could be targeting companies involved in construction and materials research, engineering firms\r\nand big commercial enterprises.\r\nAccording to a BSI report in February, Germany has seen a rising  number of incidents hitting critical\r\ninfrastructure, such as power grids and water suppliers. Among the companies most recently targeted by the\r\nChinese hackers was the Hagen Hohenlimburg specialty steel mill in western Germany.\r\nhttps://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004\r\nPage 1 of 3\n\nTechnical trade secrets were stolen from the steel production and manufacturing plant design divisions of\r\nThyssenKrupp in the attacks. At the time, the company said it had been targeted by attackers located in Southeast\r\nAsia. In 2014, a blast furnace at a steelworks in Germany was also badly damaged by a cyber attack, resulting in\r\n\"massive damage to machinery\" at the unnamed German steel mill.\r\nThis followed an attack on Deutsche Telekom routers that caused outage for nearly 1 million customers. \r\nCosts\r\nAccording to a survey published by Germany's IT sector association Bitkom in 2018, two thirds of\r\nGerman manufacturers have already come under the attack of cybercriminals. The association estimates that this\r\ncosts Europe's largest economy €43 billion ($50 billion) annually. \r\nRead more: German firms warned about Chinese 'cloud hopper' hackers\r\nBitkom has also found that small and medium-sized companies are particularly vulnerable to attacks. Some 19\r\npercent of those polled said their IT and production systems had been sabotaged digitally, with 11\r\npercent reporting tapping of their communications.\r\nhttps://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004\r\nPage 2 of 3\n\nData theft and cyber attacks\r\nSource: https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004\r\nhttps://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004" ], "report_names": [ "a-48196004" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434401, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ef1dc5bac45913f77ac08445461aae1f86edcb6.pdf", "text": "https://archive.orkl.eu/9ef1dc5bac45913f77ac08445461aae1f86edcb6.txt", "img": "https://archive.orkl.eu/9ef1dc5bac45913f77ac08445461aae1f86edcb6.jpg" } }