September 22, 2017
Security companies Morphisec and Cisco reported the extent of the damage caused by a malware attack on security software CCleaner. Experts say that the software, distributed by Czech company Avast, was targeted not simply to disrupt as many computers as possible, but to conduct espionage. Hackers penetrated the software and added a backdoor, ultimately installing malware on more than 700,000 computers. But hackers also sought to find computers among those infected that resided in networks of 20 leading tech firms.
Wired reports that Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco were targeted. Cisco researchers in the company’s Talos security division analyzed the hackers’ “command-and-control” server, finding evidence of the attempt to compromise the networks of those tech companies.
“In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they’d compromised within the company’s network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold … likely intended for industrial espionage.”
An unnamed source in the investigation provided Cisco with a digital copy of the command-and-control server, which included “a database of every backdoored computer that had ‘phoned home’ to the hackers’ machine between September 12 and 16.” Some of the targeted tech companies had no computers compromised, whereas others had more than one.
The new information changes the investigation from a “run-of-the-mill mass cybercrime scheme” into a “potentially state-sponsored spying operation.” Both Cisco and security firm Kaspersky noted that the malware “shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015.”
Further, “one configuration file on the attackers’ server was set for China’s time zone.” That’s not enough information, however, to create a definitive link “between the CCleaner attack and Axiom, not to mention China,” said Cisco.
Cisco warns that “merely deleting that application is no guarantee the CCleaner backdoor wasn’t used to plant a secondary piece of malware on their network, one with its own, still-active command-and-control server.” Researchers recommend that anyone infected with the malware “fully restore their machines from backup versions prior to the installation of Avast’s tainted security program.”