The project demonstrates how hackers have been spying for years on enterprises all over the world. In a campaign very likely executed on behalf of the Chinese Government, the hackers focused on chemical and technology companies in Germany and elsewhere (Siemens, BASF, Roche, Bayer) apart from airlines, hotels and telecommunication. Their apparent goal was industrial espionage and –presumably– spying on politically interesting persons. Scanning networks and analyzing malware, the reporters followed the hackers’ traces and identified their targets. The sheer number of targets and the shift to political targets had been unknown to the public thus far.
Several German DAX companies as well as businesses from around the world and even the Government of Hong Kong admitted that their networks had been infected by the Winnti malware. The fact that the breaches date back some time is proof that they would have never talked about it without this investigation and the public would have never known about the magnitude and depth of this espionage operation. In the aftermath of the reporting, the German domestic security agency BfV for the first time ever published a detailed technical warning about Winnti.
The investigation was published in various channels of German public broadcaster ARD (of which BR and NDR are part of), among them a long form piece of radio reporting, a piece on the German national TV news program Tagesschau, a news article on national outlet tagesschau.de and an interactive web project in German and English, explaining in detail how the hackers work.
Many media outlets in Germany and the world picked up on the reporting. In Germany, among others, Süddeutsche Zeitung, Handelsblatt and Der Spiegel referred to the results of the investigation. Also, international news agency Reuters published a report which led to many articles in news media as well as specialized IT security publications all over the world. The US magazine Vice Motherboard mentioned the investigation as one of the “Cybersecurity stories we were jealous of in 2019”.
The threat is ongoing. As recent reporting by the same set of journalists shows, companies became aware of Winnti and started scanning their own networks. As a result, they now find out that a breach has happened. One of the companies that detected Winnti in their network is Lanxess, also a highly specialized company within the chemical sector.
The investigation’s technical part played a key role in identifying Winnti’s targets. Mainly, two methods were used: identifying targets by scanning servers for Winnti infections and analyzing samples of the Winnti malware itself.
The first method is based on an nmap scan script published on GitHub by the security department of German industry giant ThyssenKrupp, which had been attacked by Winnti in the past. The script takes advantage of the fact that the Winnti malware initially behaves passively once it has infected a computer, waiting for remote control commands. The reporters have used the script to send false Winnti control messages to a list of different company networks. The software per se is harmless, but capable of simulating control commands designed to lure Winnti out of hiding. In all cases where Winnti was installed, the malware will respond to the request. This makes clear: That company has been hacked.
The second method comprised in-depth analysis of the Winnti malware itself: The reporters gained access to samples of the malware uploaded anonymously to the popular online service Virustotal, which security departments of companies use to check file samples for malware. The reporters were provided with a clue to find those samples: in some instances, Winnti operators had written the names of their targets directly into the malware, obfuscated with a relatively simple mechanism called a rolling XOR cipher. In a first step, the reporters tried to verify the information, using a simple Python script. They then used Yara rules to hunt for Winnti samples. Moritz Contag, a security researcher at Ruhr Uni Bochum, provided crucial support for this part of the investigation. Completed by traditional reporting methods (the reporters talked to more than 30 sources for this story) the investigation paints a comprehensive picture of the Winnti threat.
What was the hardest part of this project?
The publication is proof of a new and innovative way for journalists to find, gather and verify information on cybersecurity. Thus, the submission as innovative data journalism project for the Sigma awards. The team of journalists developed new ways of technical reporting: They wrote computer programs that searched for patterns in malicious software, helped by a researcher of Ruhr Uni Bochum. They also found further Winnti targets by taking advantage of a toolset published by IT security experts for checking if their own networks are infected by the malware. For the first time ever, the reporters demonstrated to the German public in such close detail how IT forensic analysis works and how to investigate hackers.
Combining these technical methods with traditional reporting, the reporters managed to get the story done. The hardest part of the project was probably finding the Winnti samples and developing sources who would help with that.
What can others learn from this project?
The project shows that there are ways to report about highly technical topics like cybersecurity without having to rely solely on the judgments of experts. By combining traditional research techniques with coding skills and technical investigative methods, journalists nowadays are able to corroborate the information themselves. It’s proof that data journalism today can be more than merely crunching statistics and building fancy graphics. In investigative newsrooms, data journalism has evolved into a reporting method for finding information and providing scoops that would not have been possible without code-savvy journalists.