
Winnti: Hackers attacking the heart of German industry - hakantan
http://br24.de/winnti/english
======
lnsru
As of today we still use shared network drives for everything in major German
company. We don’t use slack/irc/Skype/zoom/whatever. Phone calls and
conferences(!) from the middle of open office is normal. Asana/Trello/Jira are
not known at all. GitHub is paid for, but never used. I am single weirdo in
multi department project using github ticket system. The code with prefix is
copied for colleagues to project’s shared folder. PostIt tickets on the table
works good enough for others. Talking about bugs is impossible since nobody
knows what’s fixed and what’s not, the bugs have date in the best case.
Everything else is done in Excel sheets using in house written scripts. They
usually end in a mess since some people use German regional settings and other
English ones. That’s state-of-art situation in very rich and big company
today. I don’t see any possible changes in future. Old boy club fights all the
time against proposed improvements. You can forgot topics like information
security, phishing, being silent about work topics outside the office. Hackers
are known from the American movies only.

On the other hand I also worked in opposite unhealthy paranoid environment. I
was hired to design Ethernet camera, but Wireshark usage in their office was
prohibited. Packet analysis was seen as the worst thing in the company. I quit
after few months trying to explain, that I need to analyze the packets during
design phase. I think, it’s very normal, that other countries abuse illiteracy
of German industry.

~~~
ChuckNorris89
Germany's tech illiteracy is a self-inflicted consequence of its pitiful
salaries in this field, treating IT like a cost center that has to be
outsourced to wherever is cheaper and companies' tradition of rewarding
management incompetence over technical competence.

Consequently, Germany's most brilliant tech minds leave for The Valley, Zurich
or London.

You reap what you sow.

~~~
adrianN
I don't think that's the case. I believe the problem is that large German
companies tend to be hardware companies. They're used to development cycles
that take years and extremely conservative in adopting new methods. Management
and company culture is not used to dealing with fast changing development
methods (where fast is anything that changes more often than once a decade).
Rigid processes for compliance with external regulations over time where
adopted for internal rules as well, making any change a bureaucratic
nightmare.

Salary for developers really isn't that much of an issue. In Berlin for
example a developer gets two or three times the median salary easily. That's
enough for attracting people who are talented enough to choose, e.g. git and
JIRA over whatever crusty system of shared folders and zip files or IBM crap
you'd see for projects in many companies.

~~~
kriro
Pretty much agree with this sentiment regarding hardware/culture.

Also the salaries are acceptable (imo) compared to fairly high paying US jobs
if you compare real working hours (vacation time, real 40h workweeks etc.).
With a family there's even more benefits. Cost of living also tends to be
fairly low (with a high quality of life) compared to higher paying places.

~~~
TulliusCicero
High paying American bigcorps _mostly_ have perfectly fine work life balance.

Getting double the vacation time (6 weeks instead of 3) when I moved from the
US to Germany was very nice, but going back I'll have 5 weeks, which isn't too
bad.

~~~
oblio
> Getting double the vacation time (6 weeks instead of 3) when I moved from
> the US to Germany was very nice, but going back I'll have 5 weeks, which
> isn't too bad.

I keep hearing this. Yes, _you_ will get 5 weeks. But what about your wife,
your uncle, your friends? In Germany they're all guaranteed to have the same
number of days off, access to healthcare, etc. When you have kids you have a
bunch of weeks/months off before the child is born and more after.

In the US, as long as you're young, healthy, rich and selfish, life is grand
:D

~~~
tomp
But that's the point of US, no? It's _the best_ country for _the best_ people.
So, the best people go to the US... (well, many at least... I'm still holding
out... for now, I value European way of life but I envy US political & legal
systems, in particular their freedom of speech).

~~~
oblio
You can can't have 300 million _best_ people. You can't even have 100 million.

And once someone acquires citizenship, their descendants can't lose it,
provided it's their only citizenship.

------
iagovar
This group of german companies founded their own security group [German Cyber
Security Organization (DCSO)]. That speaks a lot about their trust in their
public services.

The only time I've been involved in a hacking attempt (it was ransomware) the
company I work for contacted the CCN-CERT. I wonder if US companies contact
NSA/Other gov agencies or deal with it themselves with security companies.

Also, while I understand the care and concern they put into securing their
networks, many german companies basically gift their tech to china, like
Deutsche Bahn, or being bought and transfered there, like it happend with
Kuka. So be it by hacking into your network or "partnering", they'll copy your
tech and kick you out of their market sooner or later.

~~~
ChuckNorris89
Probably because when it comes to anything cyber-related, the German
government, like most big companies there, is a dinosaur, greatly inferior to
it's British and Swiss counterparts.

~~~
TeMPOraL
Germany at least has the CCC, which it sometimes asks for advice and,
occasionally, listens to.

~~~
tsss
When they aren't trying to put them in jail that is.

------
bobjordan
"Modern-day espionage operations have one big advantage: Instead of
painstakingly planting agents in companies, digital spies are simply sending
prepared emails."

We face this threat in my business - daily fishing attempts or schemes to get
employees to open files. It never stops.

This is a primary reason when we started designing our new web app at
bomquote.com a few years ago, we first focused on communication tools which
reduce our use of email both internally and in our dealings with our
customers.

Sure, there will be attempts to hack our app servers, but from my view we can
deal with that easier than preventing our accounting admin from clicking on a
well crafted email.

~~~
mtgx
Using U2F security keys is one way to stop phishing if the app you're supposed
to log into requires it.

[https://krebsonsecurity.com/2018/07/google-security-keys-
neu...](https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-
employee-phishing/)

~~~
tgsovlerkhgsel
Unfortunately "phishing" nowadays is used to describe any kind of social
engineering, including all variants of tricking the victim into executing
malware on their machine.

U2F won't save you there, it will just make the attack a bit more annoying.

------
ga-vu
Is this a good way of tracking an APT? Just from bytecode? Isn't that easy to
fake? What if they were tracking Russian hackers instead?

~~~
janekm
If I'm understanding the article correctly, the hackers are using a easily
reversed cypher for storing configuration data for their malware, which was
reversed by assuming the presence of the string "C:\Windows\System". In the
following decrypted data the name of the respective company targeted was
found.

Yes I suppose it would be easily faked if the faker had performed a similar
analysis on the malware...

------
solarkraft
Good article. I am not so bothered by the effects, I think they complement the
article well. I sure like that what may seem like decoration to some readers
is actually real - I find it very interesting to find out that they find the
malware using nmap.

Now where do I get that script? More detail would of course always be nice.

~~~
yorwba
Git repo was linked by OP in this [dead] subthread:
[https://news.ycombinator.com/item?id=20514267](https://news.ycombinator.com/item?id=20514267)

The nmap script was written by ThyssenKrupp's security division and can be
found here: [https://github.com/TKCERT/winnti-nmap-
script/blob/master/win...](https://github.com/TKCERT/winnti-nmap-
script/blob/master/winnti-detect.nse)

------
jamesmadison66
pretty decent tech write-up from the German NPR

~~~
logari
Finally, somebody said it. The English also very good, nay, excellent.

------
rolltiide
> Winnti is a highly complex structure that is difficult to penetrate. The
> term denotes both a sophisticated malware and an actual group of hackers.

Hacking groups are corporations and spread risk away from indictable
individuals just as efficiently, with a separation of liability and actions
and knowledge

This needs to be understood

