The CCleaner hack that came to light earlier this week may have been the work of a proliferate Chinese cyberespionage group, which targeted around 20 major international tech firms as part of the attack.
Earlier this week, it was discovered that CCleaner had been hijacked to spread a backdoor malware to over 2 million unsuspecting users. However, further analysis into the incident has revealed that the attack could have been carried out by a Chinese hacker group called Axiom, also known as APT17, DeputyDog, Group 72, Tailgater Team, Hidden Lynx or AuroraPanda.
Security experts found similarities in the CCleaner malware code with tools used by Axiom hackers. Kaspersky Lab director of global research and analysis team Costin Raiu was the first to spot the similarities. The code overlap was backed up by researchers at Cisco Talos, who said this was "important information" but refrained from confirming attribution.
Researchers at Cisco Talos also said that the hackers behind the attack infected 20 major international tech firms. The firm's targets include Cisco itself, as well as Google (Gmail), Microsoft, Intel, Samsung, Sony, HTC, Singtel, Gauselmann, VMWare, Vodafone, O2, Linksys, Epson, MSI, DLink, Akamai and Oracle (Dyn). Cisco Talos researchers said that they've notified the affected companies about a possible breach.
"A fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks," Cisco Talos researchers said in a report.
Researchers found this evidence after analysing the attackers' C&C (command and control) server database. The database contained two lists, one listing 700,000 systems infected by the backdoor malware and another that tracked all the computers infected with a second-stage malware. Previously, researchers were unaware of any of the victims having been infected by a second-stage malware. However, the C&C server database revealed that 20 systems were infected by a second-stage malware.
"It is important to understand that the target list can be and was changed over the period the server was active to target different organizations," the researchers said.
Researchers were also able to determine that around 540 computers of government across the world and 51 systems belonging to international banks were among those compromised by the attack. "This demonstrates the level of access that was made available to the attackers through the use of this infrastructure and associated malware and further highlights the severity and potential impact of this attack," Cisco researchers said.
Although the link between the CCleaner hack and Axiom may currently not be definite, the hacker group is known to have targeted technology firms in the past as well.
Researchers at Intezer, who also analysed the CCleaner malware code, said that the code overlap noted indicates a clear connection to Axiom. "The code in question is a unique implementation of base64 only previously seen in APT17 and not in any public repository, which makes a strong case about attribution to the same threat actor," Intezer senior security researcherJay Rosenberg wrote in a report.
"This code connection is huge news. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted and they specialize in supply chain attacks. In this case, they probably were able to hack CCleaner's build server in order to plant this malware. Operation Aurora started in 2009 and to see the same threat actor still active in 2017 could possibly mean there are many other supply chain attacks by the same group that we are not aware of," Rosenberg added.