When Avast announced that 2.27 million people had downloaded a malware-riddled copy of its performance optimization software CCleaner, it was initially believed that a second payload—that can control a system—was never delivered to victims. It’s now clear that wasn’t the case, and it appears the attackers may have been targeting tech firms for the purposes of industrial espionage.
Security researchers at Cisco’s Talos released a new report today that intensifies the alarm bells and provides more details on those who were affected. At first, researchers thought a second payload, one that would give hackers a more permanent presence on the infected machines, was never delivered, and that the attackers were likely biding their time. But according to Cisco, at least 20 machines at eight companies worldwide were served the second, more dangerous payload. In a blog post this morning, Avast warned that the actual number of infected victims is more likely in the hundreds.
While reviewing an archive of files from the Command and Control server, Cisco says it discovered a list of domains that the hackers were specifically targeting. The companies on the list include Singtel, Intel, Google, Epson, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link, Microsoft, and Cisco. Reached by Gizmodo, Avast declined to publicly confirm the list of affected companies “for privacy reasons,” but says it has “been reaching out individually to those companies who we know have been impacted, and providing them with additional technical information to assist them.”
It’s believed that the attackers were attempting to use the popular software (130 million users) to spread their malware as widely as possible, and then, according to Cisco, they systematically narrowed down the targets to companies with valuable data and information to be stolen. Talos research manager Craig Williams tells Wired that in about half the cases, the hackers were able to use their backdoor to compromise at least one machine on the company’s network. The archive that Cisco obtained only covered four days in September, so there’s no way to say for sure that these companies were the only targets. In all, Cisco claims the infected version of CCleaner was installed on 700,000 computers.
Cisco now believes that this was the work a sophisticated actor. The researchers are urging anyone who downloaded the 5.33.6162 version of CCleaner or the 1.07.3191 version of CCleaner Cloud—available from August 15th to September 13th—to restore their systems from backups or reimage systems. Simply updating or deleting the software is not enough. The latest version, CCleaner 5.34, is said to be safe.
We don’t have a whole lot of information on who is responsible for this or what their motives are. Cisco says it noticed shared code in the malware that has been used in tools employed by hackers known as Group 72 or Axium. The tools were employed in what’s known as Operation SMN in 2014. Security firm Novetta believes that the group is connected to Chinese intelligence services.