Czech software firm Avast says CCleaner was attacked — again

This time the intrusion "was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose,” the company's CISO says.

An unidentified attacker used stolen credentials to gain high-level privileges on the network of Czech software security vendor Avast, the company said Monday. The target of the persistent attack was likely Avast’s software-cleaning tool, CCleaner — the same product that was infiltrated in an infamous 2017 supply-chain attack breach that affected over 2 million computers.

Worried that the attackers would manipulate CCleaner again, Avast said it halted an upcoming release of the product, revoked its previous security certificate, and put out a security update to users. Those measures, Avast CISO Jaya Baloo assured customers, were enough to ensure that CCleaner users were unaffected by the attack. Avast, which boasts of 400 million users of its products around the world, said it will study its network logs to learn more about the intrusion.

“[I]t is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose,” Baloo wrote in a blog post.

“We do not know if this was the same actor as before and it is likely we will never know for sure,” she wrote.


The 2017 breach of CCleaner is often cited by security experts to illustrate the threat of wide-ranging supply-chain hacks. In the 2017 hack, the attackers signed their malware with a legitimate Avast certificate, a technique that is the hallmark of a clever supply-chain breach. The goal of the operation, which analysts believe was the work of a Chinese state-sponsored group, was reportedly to steal intellectual property from CCleaner customers.

The more recent attack on CCleaner was also persistent. The hacker or hackers had been trying to get into Avast’s network since May, but the company did not notice something was amiss until Sept. 23. It launched an investigation with Czech intelligence officials and police that included quietly monitoring the attacker’s activity rather than immediately evicting it from the network.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts