Gameforge was using Kaspersky antivirus software, which didn't cause any alarm bells to ring. Gameforge arranged for Kaspersky's IT security experts to come directly to Karlsruhe. Because obviously there was something weird going on. Nobody informed the State Bureau of Criminal Investigation or the local police. The year was 2011, and many investigators were barely familiar with the term or concept of cybercrime.

The administrators became aware that someone was directly accessing Gameforge’s databases and raising the account balance. They started getting worried. How could this be happening? The technicians used the next maintenance interval to reinstall the servers of the affected game. The players didn’t have a clue about what’s going on. No sooner were the servers back up than the manipulations continued.

We are told that in 2011, an email message found its way into Gameforge’s mailbox in Karlsruhe. A staff member opened the attached file and unbeknownst to him started the hackers’ Winnti program. Shortly afterwards, a few players became virtual rich persons.

It would seem that during the early stages, the hackers were concerned mainly about making money. Gameforge is a case in point: a gaming company based in the German town of Karlsruhe. During its heyday, the company had a staff of 700 working hard at conquering the global gaming market, and boasted annual sales to the tune of 140 million Euros. Gameforge offers so-called “freemium” games. While playing the games is free, those who want more either have to earn virtual money by completing certain tasks, which takes a long time, or shell out real money.

While keeping an eye on Gameforge’s corporate network, the IT security experts did find suspicious files and decided to analyze them. They noticed that the system had in fact been infiltrated by hackers—who were acting like Gameforge’s administrators most of the time. Which allowed them to remain invisible. It turned out that the hackers have taken over a total of 40 servers.

This mode of operation is typical of many hacker groups—and especially of Winnti. “They are a very, very persistent group,” says Costin Raiu, who has been watching Winnti since 2011. Raiu is in charge of Kaspersky’s malware analysis team. “Once the Winnti hackers are inside a network, they take their sweet time to really get a feel for the infrastructure,” he says.

The hackers will map a company’s network and look for strategically favorable locations for placing their malware. They keep tabs on which programs are used in a company and then exchange a file in one of these programs. The modified file looks like the original, but was secretly supplemented by a few extra lines of code. From now on, this manipulated file does the attackers’ bidding.

Raiu and his team have followed the digital tracks left behind by some of the Winnti hackers. “Nine years ago, things were much more clear-cut. There was a single team, which developed and used Winnti. It now looks like there is at least a second group that also uses Winnti.” This view is shared by many IT security companies. And it is this second group which is getting the German security authorities so worried. One government official puts it very matter-of-factly: “Winnti is very specific to Germany. It is the attacker group that's being encountered most frequently."

Phase 2: Industrial espionage

By 2014, the Winnti malware code was no longer limited to game manufacturers. The second group’s job is mainly industrial espionage. Hackers are targeting high-tech companies as well as chemical and pharmaceutical companies. We find evidence going as far as mid-2019. Cases of espionage which were probably still ongoing when we discovered them. Winnti is attacking companies in Japan, France, the U.S. and Germany. Or more precisely: in Düsseldorf.

Most people probably know the DAX company Henkel as a manufacturer of detergents and shampoos. But Henkel offers a huge range of other products, including adhesives for industrial applications. Modern cars are glued instead of welded. In a commercial on Youtube, Henkel shows staff members successfully joining two metal plates with just three grams of adhesive and then using the plates to pull a 280-ton train. Nearly half of Henkel’s annual sales of 20 billion Euros are generated by Henkel’s so-called “adhesive technologies".

The Winnti hackers broke into Henkel’s network in 2014. We have three files showing that this happened. Each of these files contains the same website belonging to Henkel and the name of the hacked server. For example, one starts with the letter sequence DEDUSSV. We realize that server names can be arbitrary, but it is highly probable that DE stands for Germany and DUS for Düsseldorf, where the company headquarters are located. The hackers were able to monitor all activities running on the web server. And they also seemed to be able to reach systems which didn't have direct internet access: Internal storage files and possibly even the intranet.

The corporation confirms the Winnti incident and issues the following statement: “The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions.” Henkel claims that a “very small portion” of its worldwide IT systems had been affected— the systems in Germany. According to Henkel, there was no evidence suggesting that any sensitive data had been diverted.

How we worked BR and NDR reporters, in collaboration with several IT security experts, have analyzed the Winnti malware. It was notably Moritz Contag of Ruhr University Bochum who managed to extract information from different varieties of the malware. Contag wrote a script for this analysis. You can find it here. Silas Cutler, an IT security expert with US-based Chronicle Security, has confirmed Contag’s analyses. A collaboration between and

Far from attacking Henkel and the other companies arbitrarily, Winnti takes a highly strategic approach. Which is perfectly evident from the other cases. Take Covestro, for example, also a manufacturer of adhesives, lacquers and paints. This chemical corporation, a Bayer spin-off, is now listed on the DAX. Covestro is regarded as Germany’s most successful spin-off in the recent past. Up until June 2019, they had at least two systems on which the Winnti malware had been installed. Although there is no concrete evidence of data loss, Covestro considers “this evidence of infection to be a serious attack on our company.” Another manufacturer of adhesives, Bostik of France, was infected with Winnti in early 2019.

The hackers behind Winnti have also set their sights on Japan’s biggest chemical company, Shin-Etsu Chemical. We have in our hands several varieties of the 2015 malware which was most likely used for the attack. In the case of another Japanese company, Sumitomo Electric, Winnti apparently penetrated their networks during the summer of 2016. And consider Roche, one of the largest pharmaceutical companies in the world: the sheer number of files, 25 in total, gives you an idea of the degree of network penetration by the hackers. Winnti hackers also penetrated the BASF and Siemens networks. Both corporations have confirmed our research data.

A BASF spokeswoman tells us in an email that in July 2015, hackers had successfully overcome “the first levels” of defense. “When our experts discovered that the attacker was attempting to get around the next level of defense, the attacker was removed promptly and in a coordinated manner from BASF’s network.” She added that no business relevant information had been lost at any time. According to Siemens, they were penetrated by the hackers in June 2016. “We quickly discovered and thwarted the attack,” Siemens told us in a written reply. Siemens claims that even after detailed analyses, no evidence suggesting data loss from the attack has been found to date.

Targeted companies Gaming : Gameforge, Valve

: Gameforge, Valve Software : Teamviewer

: Teamviewer Technology : Siemens, Sumitomo, Thyssenkrupp

: Siemens, Sumitomo, Thyssenkrupp Pharma : Bayer, Roche

: Bayer, Roche Chemical: BASF, Covestro, Shin-Etsu

Bostik, Sumitomo and Shin-Etsu didn’t respond to our requests for comments at all. Roche chose to keep their response neutral. A spokesperson replied that “information security and data protection are taken very seriously.” Nearly all major corporations now emphasize that there is no such thing as one hundred percent protection. Hacking attacks on large companies have become almost commonplace. And yet: No company really likes to talk about having hackers in its own networks. In many cases, customers are not informed. They are justifiably scared of damage to their reputation.

Teamviewer is a case in point. A company based in the southwest of Germany, a bona fide Silicon Valley contender, and a true showpiece enterprise. It was quickly traded at a nine-digit valuation, the highest accolade for a newly incorporated enterprise. Then came the Winnti hackers. “Spiegel” magazine was the first to report about it.

The corporation offers a remote maintenance software solution which, according to Teamviewer, is installed on two billion devices. To imagine the mayhem a hacker might cause by infiltrating the end users’ devices via the Teamviewer application—it boggles the mind. But things didn’t get that far for Teamviewer, the company assures us. They add that they replaced their entire IT infrastructure and spent millions on removing the hackers from their networks in 2016.

The second way to find Winnti

For the IT departments, the infected computers are extremely difficult to detect. That is because a new variety of this malware remains perfectly passive as long as it is left alone. How can you find something that’s playing dead? Since 2018 there’s a public tool available designed to systematically trawl the Internet for these infected systems. This network scan works by luring the software out of its hiding spot.