Chinese hacking group allegedly behind ThyssenKrupp hack

News by Roi Perez

According to the German Federal Office for Information Security (BSI), the group is well known to them, and the BSI says several other businesses are under attack.

German news website is reporting that the attack on German steel manufacturer ThyssenKrupp was allegedly orchestrated by Chinese hacking group Winnti, which is also the name of the malware they use to carry out attacks.

The investigation has now confirmed that other German companies were affected in the cyber-attack.

Hacking group Winnti, which haspreviously attacked computer game software companies, is believed to be of Chinese origin, according to Kaspersky Labs' Global Research and Analysis Team who wrote a report on them back in 2013.

Speaking of the group's interests, Kaspersky Lab wrote at the time, “The main objective of the group is to steal source code of online game projects as well as digital certificates of legitimate software vendors. Besides that, they are deeply interested in the setup of network infrastructure (including production gaming servers) and new developments such as conceptual ideas, design and more.”

Thyssenkrupp's computer emergency response team (CERT) which is investigating the attack believes that further German companies are affected.

Likewise, is reporting that the German Federal Office for Information Security (BSI) confirmed to WirtschaftsWoche, a German business publication, that Winnti has infiltrated several companies in Germany saying: "Several cases are known to us."

Which companies have become victims of Winnti in Germany, the BSI is yet to reveal. However, companies across several industries are affected.

The BSI has had difficulty determining if all of the hacks are orchestrated by Winnti. "The malware landscape has greatly expanded, which could mean that Winnti is used as a relatively advanced and convenient tool by several groups," says the BSI.

Winnti is not a new group on the block, several security researchers claim the group is from China or another Southeast Asian country and has been active since 2009.

Their speciality is the installation of well-hidden access points in networks and IT systems. Winnti became famous for successful attacks on gaming platforms - with the aim of diverting the in-game currency use   there, to sell and exchange it on the black market for real money.

Since 2015 the group has expanded its activities to cyber-espionage against companies.

According to, some in Germany fear that more technology-based companies will become victims of professional espionage attacks, and that the trend is growing.

After a long battle with the hacking group, ThyssenKrupp now allegedly wishes to work with other industrial companies and cooperate more closely in terms of information sharing and exchange on how to beat attackers like Winnti.

Last year, Volkswagen, BASF, Bayer and Allianz established the Deutsche Cyber-Sicherheitsorganisation (DCSO) in Berlin, which is closely cooperating with the Federal Ministry of the Interior.

Thyssenkrupp is one of the members of the group, and according to, IT managers in ThyssenKrupp were immediately able to make emergency calls when the first traces of the cyber-espionage were found in their IT systems.

A team from the DCSO worked closely with security specialists at ThyssenKrupp during the six-month long defensive battle. This know-how can now be passed on to the next victims.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews