The recent CCleaner malware outbreak where hackers used a popular PC clean-up tool to spread malware was perhaps a more targeted and sophisticated attack than it initially seemed.
In an update on its investigation into the malware, Avast noted that the attack was an APT (advanced persistent threat) program that specifically targeted large technology and telecommunications companies. While Avast stopped short of revealing the names of the companies for “privacy reasons”, Cisco's Talos security division named at least 20 tech titans as specific targets including Google, Samsung, Microsoft, Sony, HTC, Linksys, D-Link, and Cisco itself.
Based on their investigation, the Talos researchers said that at the time the server was seized, the attackers were targeting a string of internal domains with a second-stage payload, designed to collect data and provide persistent access to any infected device. “ fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks,” researchers noted.
This means that the malware wasn't deployed simply to install keyloggers or ransomware on random people's computers but was created for industrial espionage, a way to steal valuable secrets from some of the world's biggest tech giants. They even found some code associated with known hacking team Group 72 or Axiom, which is believed to be a Chinese government operation but it could also be a "false flag" intended to mislead investigators about the true origin of the attack.
The CCleaner backdoor hack affected almost 2.3 million users, but it’s unclear how many of them received the second payload. Talos said that it only discovered 20 machines that received the specialized secondary attack.
While Avast is advising individual users to upgrade to its latest version and to use an anti-virus product, Cisco recommends restoring PCs using backup made before CCleaner was installed.