Rather than remove the malware, the company elected to keep a covert eye on the software to try and work out its purpose, as well as who was responsible for implanting the malicious code. The malware was removed at the end of March, concluding Bayer's espionage activities on its own networks. The drug maker did say, however, that the software is the work of a hacking group known as Winnti. According to Kaspersky Labs (.PDF), back in 2013, Winnti's objective was to steal the "source code of online game projects as well as digital certificates of legitimate software vendors." The stolen certificates were later found to be in use in order to sign malware used by other cyberthreat groups to target political activists spanning across South Korea and Tibet, as well as the ethnic minority Uyghur group located in China. 401TRG believes the group is related to Chinese espionage efforts and attacks have systematically taken place against valuable targets between 2009 and 2018.