CCleaner attack was focused on stealing data from top level tech firms

Researchers believe the hacking group may be a Chinese advanced persistent threat, although the evidence so far is inconclusive and researchers are still collecting evidence.
CC0 -- Max Pixel

A highly advanced hacking group infected more than 2 million computers with a backdoor implant in order to reach only a select few companies in order to steal trade secrets and intellectual property, according to analysis provided to CyberScoop and new findings published by cybersecurity firms Cisco and the affected vendor, Avast.

Researchers believe the hacking group may be a advanced persistent threat (APT) tied to China, although the early evidence is inconclusive. An investigation is ongoing between Avast, its subsidiary Piriform and the FBI. If the operation was in fact backed by Beijing, it would likely violate a 2015 agreement made between the U.S. and China that halted economic espionage between the two countries. Accurate attribution at this stage of the probe remains difficult, experts say.

“The attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the U.S.,” Avast chief technology officer Ondřej Vlček wrote in a blogpost about the incident. “Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were.”

Earlier this week, Cisco and Avast separately released blog posts showing that a complex supply chain cyberattack had occurred against Piriform, the maker of a popular file cleaning tool known as CCleaner, which has been reportedly downloaded more than one billion times since it was launched in 2003. Avast acquired Piriform in July.


An Avast spokesperson previously told CyberScoop that Piriform’s “build environment” was penetrated, with hackers able to compromise the update mechanism behind CCleaner. Between August 15 and September 12, anyone who updated their CCleaner program would have also downloaded a hidden piece of malware. Avast remediated the incident by offering a new and clean update, with a different software certificate, for download to users this week.

The first stage of this operation dispensed a backdoor implant that opened up systems for further malicious programs. But most of the infected computers appear to have been ignored for the second round of malware, Vlček told CyberScoop.

“Right now, we’re only talking about the first few payloads … We don’t know what the third or fourth or maybe fifth payload did or who may have received what,” said Vlček. “There could be hundreds of stages of payloads. Sometimes that happens.”

While Avast has said that 2.27 million computers were impacted by the booby-trapped software update, much less were served up a second-stage payload that scanned for system information. The second-stage payload does not yet explain what the attackers were attempting to steal. It’s also not clear if or how many additional payloads were installed after the second-stage installation, as Vlček noted.

The latest findings are significant because they show the complexity and breadth of the hackers’ recently uncovered operation and, according to researchers, perhaps their underlying intent.


Researcher’s with Cisco’s Talos team found that the hackers leveraged their access to Piriform to specifically target a group of prominent, multinational technology firms, including Samsung, Sony and Cisco. Cisco’s analysis further supports Avast’s latest statement. In practice, if computers belonging to one of these companies had been running a recent version of CCleaner then they could have been breached.

“The server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds,” Vlček noted.

The number of affected machines known to investigators is likely subject to change. Avast declined to name which infected machines belong to what companies.

Craig Williams, a senior manager with Cisco Talos, told CyberScoop that it’s virtually impossible to know how many computers were ultimately infected with additional payloads, because the hackers had wiped significant evidence of their activity prior to September 12. Although the hackers were exploiting Piriform for nearly a month, the ability of investigators to know exactly what happened is limited.

Due to the nature of this investigation, there’s still significant questions that remain unanswered or only partially explained. Avast and other cybersecurity firms plan to publishing new findings within the coming 24 hours.

Latest Podcasts