German drugmaker Bayer has contained a cyber attack it believes was hatched in China, the company said, highlighting the risk of data theft and disruption faced by big business.

Bayer found the infectious software on its computer networks early last year, covertly monitored and analyzed it until the end of last month and then cleared the threat from its systems, the company said on Thursday.

“There is no evidence of data theft,” Bayer said in a statement, though a spokesman added that the overall damage was still being assessed and that German state prosecutors had launched an investigation.

“This type of attack points towards the ‘Wicked Panda’ group in China, according to security experts,” the spokesman added, citing DCSO, a cyber security group set up by Bayer in 2015 with German partners Allianz, BASF and Volkswagen.

Third-party personal data was also not compromised, the spokesman said.

The hackers used malware called WINNTI, which makes it possible to access a system remotely and then pursue further exploits from there, said Andreas Rohr of the DCSO.

“Once it has been installed, more or less any action can be carried out,” Rohr said.

Discovery of WINNTI provides clear evidence of complex and sophisticated malware that is used in a targeted, sustained espionage campaign, he added

Bayer, Germany’s biggest drugmaker and the world’s largest agricultural supplies company after its takeover of Monsanto, said it could not determine exactly when its systems were first compromised.

‘Active Group’

There was a WINNTI attack on computer systems at German technology group ThyssenKrupp in 2016, according to media reports at the time.

Rohr declined to comment in detail on the Bayer case, citing a non-disclosure agreement, but said he knew of at least five WINNTI attacks in Germany.

“This is a very active group of hackers with the ability to carry multiple international attacks in parallel,” he said.

Manufacturing groups across the globe are expanding their data networks as sensors, processing chips and analytical tools become more advanced and cheaper.

Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids, the country’s cybersecurity agency said in February.

While it’s not possible to say with certainty who was responsible for the attack, because the malware used is widely available, Rohr said the methods bore the hallmarks of Chinese hackers.

“The malware most probably comes from a Chinese group of ‘mercenaries’ who carry out targeted attacks and campaigns on the internet for money,” he said.

“Their targets have in the past been the online gambling industry, the theft of intellectual property of the affected companies or the use of access for the purposes of espionage.”

German broadcasters BR and NDR initially reported the incident. (Additional reporting by Douglas Busvine.)

Topics Cyber Claims China Germany